[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Sun Oct 28 09:22:17 UTC 2012 

#21022: Allow bcrypt to be enabled via filter for pass hashing
--------------------------+------------------------------
 Reporter:  th23          |       Owner:
     Type:  enhancement   |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  3.4
 Severity:  normal        |  Resolution:
 Keywords:  dev-feedback  |
--------------------------+------------------------------

Comment (by jammycakes):

 IMO, bcrypt needs to be made the default, out of the box option. The idea
 that WordPress admins should have to go hunting for a plugin to do this
 scares me, simply because most of them won't unless (a) they are well
 versed in web security, (b) they know that WordPress uses a weak
 alternative by default, and (c) they consider it to be an issue worth
 worrying about.

 People often underestimate the seriousness of MD5 and the SHA-* algorithms
 being "less secure." They aren't just less secure: thanks to developments
 in password cracking in the past few years using GPU- and FPGA- based
 software, they are '''totally useless.''' Programs such as oclHashCat even
 have an option specifically to crack passwords in WordPress databases --
 and the rate at which they can do so is terrifying. If you're not making a
 strong password hashing algorithm the default, out of the box option,
 you're exposing your users to unacceptable and unnecessary risk.

 For what it's worth, you can do this without breaking backwards
 compatibility. It should be possible to include some code that can
 identify which algorithm you're using, and you can upgrade your users'
 passwords to the new option when they log in. You would also need to be
 able to do this if you wanted to increase the work factor passed into
 bcrypt every so often to allow for improvements in cracking technology.

 (For reference, see the original "just use bcrypt" article:
 http://codahale.com/how-to-safely-store-a-password/)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21022#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list