[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Mon Dec 12 14:09:18 UTC 2022
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by ryanhellyer):
Since WordPress's minimum requirement is PHP 7.4 and Argon2 comes with PHP
7.2 and above, then perhaps it would be appropriate to add in support for
Argon2 to WordPress core, and automatically upgrade everyone to Argon2
when they login next. I don't think BCrypt would be needed, since Argon2
is available to all sites which support the WordPress minimum
requirements.
There could be a separate plugin and WP CLI tool which could auto-convert
the passwords in bulk too. I think there wouldn't be a problem with server
overload from the conversion process, but if there was, then we could even
implement a system to allow admins to batch convert them all before they
upgraded WordPress (leaving the original password hashes in place until
core was upgraded).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:137>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list