[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Wed Sep 18 07:13:44 UTC 2019


#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------

Comment (by paragoninitiativeenterprises):

 Replying to [comment:121 mbijon]:
 > Funny @paragoninitiativeenterprises, I just found the pointer
 dereference in PHP's bcrypt: https://github.com/php/php-
 src/blob/master/ext/standard/crypt_blowfish.c#L613. Combining crypto
 methods is never a good idea, eh.

 Most cryptography vulnerabilities exist in the mortar, not the bricks.

 > I can't help but worry your bcrypt-sha512-base64 solution will make
 jumping to `PASSWORD-DEFAULT` harder @paragoninitiativeenterprises. But
 heck! it's still 10^6^ better than SHA, and way closer to vanilla
 `password_hash()` than we have now.

 It won't make it significantly difficult.

 We just need to ensure a reasonable migration path exists for post-bcrypt
 password hashes, in the same spirit as https://paragonie.com/blog/2016/02
 /how-safely-store-password-in-2016#legacy-hashes and
 https://make.wordpress.org/core/2019/05/17/security-in-5-2

 Back on focus: This ticket was originally targeting WordPress 3.4 when a
 PHP 5.2 minimum was unlike to change.

 Surely with a minimum PHP of 5.6 (the story today) we can seriously
 consider migrating to bcrypt in a near-future release?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:122>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list