[wp-hackers] Should password hashing portability be configurable?
Harry Metcalfe
harry at dxw.com
Wed Nov 7 19:27:25 UTC 2012
I entirely agree. I have seen a discussion somewhere supporting using
MD5 for portability though.
I didn't realise, but there's already a trac ticket:
http://core.trac.wordpress.org/ticket/21022
I shall go add my $0.02 to it.
Harry
On 07/11/12 19:24, Otto wrote:
> Yes, that said, bcrypt was indeed intentionally designed to be
> slow-as-heck for hashing, so it would be more secure in theory. I have
> my doubts about that in practice. Modern GPU based crackers are
> uber-fast.
>
> Since we're on 5.3 and up now, it does make sense to remove the "true"
> from those functions, since every PHP 5.3 should have bcrypt in it.
> Might be worth making a core ticket for it instead of a plugin.
>
> -Otto
>
>
> On Wed, Nov 7, 2012 at 1:22 PM, Harry Metcalfe <harry at dxw.com> wrote:
>>> The underlying cryptographic hash function is pretty much
>>> irrelevant to the concept of password storage.
>> As far as choosing between MD5/SHA256/similar, I agree. But bcrypt is
>> different.
>>
>>> Unless the hash algorithm is extremely slow, [...]
>> This is exactly the point. bcrypt is, by design, very slow. And it can be
>> adjusted to make it slower as computing power becomes cheaper. More:
>>
>> http://en.wikipedia.org/wiki/Bcrypt
>> http://codahale.com/how-to-safely-store-a-password/
>>
>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list