[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Thu Nov 8 15:42:10 UTC 2012 

#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------+------------------------------
 Reporter:  th23                           |       Owner:
     Type:  enhancement                    |      Status:  new
 Priority:  normal                         |   Milestone:  Awaiting Review
Component:  Security                       |     Version:  3.4
 Severity:  normal                         |  Resolution:
 Keywords:  2nd-opinion punt dev-feedback  |
-------------------------------------------+------------------------------

Comment (by bpetty):

 Replying to [comment:27 ryanhellyer]:
 > The situation in which that could be a problem, is when users use
 horrendously insecure passwords. Moving to a more secure hash will
 unfortunately not stop users from choosing a password of 123abc which
 would still be trivial to crack, even with bCrypt. So perhaps an
 alternative solution to this is to implement a minimum password strength
 system like the following plugin?
 > http://www.itsananderson.com/plugins/minimum-password-strength/
 >
 > I have seen multiple sites "hacked" due to insecure passwords. Passwords
 like "password", "letmein" and "admin" appear to be scarily common. Since
 implementing that plugin, I haven't see any examples of this occurring
 thankfully. Implementing it seems like it would get to the core of the
 problem a little more directly and effectively than changing the hashing
 algorithm.

 Ryan has a very good point here. The fact that WP already uses per-
 password-salts and stretching with a well respected password hashing
 library is actually pretty good regardless of what hashing method is used.
 There's no point in bumping server resource requirements, and extending
 page response times for registration and login past 2 seconds (not even
 including everything beyond the hash) when the actual problem that needs
 to be solved is password strength.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21022#comment:29>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list