[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Nov 7 19:32:58 UTC 2012
#21022: Allow bcrypt to be enabled via filter for pass hashing
--------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: dev-feedback |
--------------------------+------------------------------
Comment (by Otto42):
PHPass actually checks for the existence of CRYPT_BLOWFISH and then
CRYPT_EXT_DES support, and uses the best method available when the
$portable_hashes argument is set to false, falling back to MD5 otherwise.
Thus, there's no downside to simply always using false here.
Now that we're on PHP 5.3 for core, every PHP install should have
CRYPT_BLOWFISH, but even if it's strangely compiled without it, PHPass
will continue to work.
My vote is for simply removing the "true" from the $portable_hashes
argument altogether. We don't need it, it's more secure without it, and
honestly it doesn't even need to be a configurable option.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21022#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list