[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Feb 19 19:33:26 UTC 2014
#21022: Allow bcrypt to be enabled via filter for pass hashing
-----------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion 3.6-early | Focuses:
-----------------------------------+------------------------------
Comment (by Otto42):
Relevant information: http://nakedsecurity.sophos.com/2014/02/16/syrian-
electronic-army-hacks-forbes-spills-1000000-user-records/
TL;DR: The Forbes.com site (running WordPress) was breached and about a
million rows of the users table dumped. The password hashes were exposed.
Though the hashing is still okay using the iterated MD5, it seems that the
bar should probably be raised. If not switching to better algorithms when
they are available, then the iteration count should be raised.
Personally, I would prefer using better algorithms, which means, at the
very least, we should implement a filter or define to allow people to
disable the forced use of portable hashes (aka, forcing MD5).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:46>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list