[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Tue Sep 17 21:47:10 UTC 2019 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------

Comment (by mbijon):

 My earlier comment is meant to cut off a potential red herring to this
 long-running ticket. But it could also be seen as a pretty big red herring
 itself.

 To bring things back to the point: Let's get rid of MD5 hashing.

 **I'm in favor of implementing bog standard PHP 5.6 `password_hash(
 $password, PASSWORD_BCRYPT )`.**

 I think if work here focuses on a good backbone of UX and hash-detection,
 then we'll have an easy path to best-case `PASSWORD_DEFAULT` and Argon2
 support in the future.

 **Next release:**

 * Add the code from `21022.4.diff` but don't remove `passwordHash` yet
 * Implement hash-type detection for `$P$B`, `$2y$` and `$argon2i$` (maybe
 `$2a$`?)
 * Using that hash-type detection: 1. Add unit tests for `$2y$`
 functionality. 2. Deprecate `passwordHash` and start testing for
 `E_DEPRECATED`
   * Plus, plugins like "wp-password-bcrypt" will easily be able to test
 for support & capabilities.
 * Add an Admin alert to eligible RCs and maybe one major-version of
 WordPress that detects if `$P$B` hashes are in-use. While PHP 5.6+ ensures
 support for BCrypt it would be good to warn of a pending password-
 expiration & length-limit.
 * Implement password-expiration for all `$P$B` hashes in Upgrade. Include
 an Action so Admins can opt to have this upgrade process send password-
 expiration emails or similar.
   * With hash detection this will ensure NOT expiring `$2y$` or other
 hashes (in case a site already has "wp-password-bcrypt" or similar
 installed).
 * UX update to registration & pw-reset to inform users of the 72-char
 password length-limit.

 **Future release:**

 * REVISE the `password_hash( *, PASSWORD_BCRYPT)` code to `password_hash(
 *, PASSWORD_DEFAULT )` and add a test for `$argon2i$`
 * Remove `passwordHash`

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:115>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list