[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Thu Nov 8 15:09:10 UTC 2012
#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion punt dev-feedback |
-------------------------------------------+------------------------------
Comment (by ryanhellyer):
Even at 100 billion attempts per second, it would still take over 1000
years to crack a password with only 12 characters in it, and that's
assuming only numbers and English characters. So 100,000 attempts per
second doesn't seem like anything worth worrying about.
The situation in which that could be a problem, is when users use
horrendously insecure passwords. Moving to a more secure hash will
unfortunately not stop users from choosing a password of 123abc which
would still be trivial to crack, even with bCrypt. So perhaps an
alternative solution to this is to implement a minimum password strength
system like the following plugin?
http://www.itsananderson.com/plugins/minimum-password-strength/
I have seen multiple sites "hacked" due to insecure passwords. Passwords
like "password", "letmein" and "admin" appear to be scarily common. Since
implementing that plugin, I haven't see any examples of this occurring
thankfully. Implementing it seems like it would get to the core of the
problem a little more directly and effectively than worrying about the
hashing algorithm.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21022#comment:27>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list