[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 20 01:34:26 UTC 2012
#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Keywords: dev-feedback
-------------------------+-----------------------------
Hi,
following recent discussions on password security and how to best prevent
any hackers can leverage password table they might have got I looked into
the phpass used for WordPress.
While I in principle understand why WordPress uses the compatibility mode
of it, I would like to see some flexibility for those who don't need the
compatibility.
Thus I would propose to change in wp-includes/pluggable.php all occurances
of
$wp_hasher = new PasswordHash(8, true);
to
$wp_hasher = new PasswordHash(8,
apply_filters('phpass_compatibility_mode', true));
This would allow users to easily change via plugin from the "not so
secure" compatibility mode (only salted MD5) of phpass to a more secure
setting (bcrypt) in case no compatibility with other applications is
required.
The plugin changing the encryption methog could then as easy as
function phpass_bcrypt() {
return false;
}
add_filter('phpass_compatibility_mode', 'phpass_bcrypt');
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21022>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list