[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Mon Dec 12 10:03:15 UTC 2022 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------

Comment (by stgoos):

 Replying to [comment:132 bgermann]:
 > The argon2 suggestion has a problem: It is optional in PHP compilation.
 > I suggest not using it when compatibility was a concern for a decade.
 > WordPress always took the stance not to bother people with environment
 issues and depending on a specific PHP compile-time configuration flag is
 completely against that notion.

 That's a perfectly understandable stance from WordPress side.

 **Is a solution in which bcrypt is used, by default, and argon2 -when
 detected as available- an idea?**

 That way we can at least make some progress with this topic after a decade
 of not leaving it untouched.


 ''Btw - WordPress stance "to not bother people with environment issues and
 depending on a specific PHP compile-time configuration flag" could also be
 turned around. With an estimated 39-43% of all websites on the web running
 WordPress it could be a very good driver to make the entire internet a
 safer place. As providers who don't keep their setup up to date with these
 requirements from WordPress could simply loose business. I know, it's not
 as black and white as I just described it and quite a few people starting
 with WordPress / less tech savvy WordPress users on cheaper(?) hosting
 will probably think it's a WordPress issue rather than a provider
 issue..., so avoiding that risk (as mentioned I can understand it) leads
 to topics like this one.''

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:133>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list