[wp-hackers] Should password hashing portability be configurable?
Ryan McCue
lists at rotorised.com
Thu Nov 8 10:45:14 UTC 2012
Otto wrote:
> Yes, that said, bcrypt was indeed intentionally designed to be
> slow-as-heck for hashing, so it would be more secure in theory. I have
> my doubts about that in practice. Modern GPU based crackers are
> uber-fast.
The idea is that as computers get faster, you increase the "cost" of the
bcrypt function (where iterations = 2^cost). At the moment, the cost is
8 (see wp-includes/class-phpass.php, PasswordHash::PasswordHash() ),
which is 256 rounds.
(See also: http://security.stackexchange.com/a/17238 )
> Since we're on 5.3 and up now, it does make sense to remove the "true"
> from those functions, since every PHP 5.3 should have bcrypt in it.
Just to reiterate what was mentioned on #21022 [1], we're not actually
on 5.3+ yet, we're still on 5.2.4+, just in case anyone was confused.
[1]: http://core.trac.wordpress.org/ticket/21022
--
Ryan McCue
<http://ryanmccue.info/>
More information about the wp-hackers
mailing list