[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Thu Oct 1 10:15:41 UTC 2015
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion 3.6-early has-patch | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by mark8barnes):
It seems wrong that in 2015 we're still not using bcrypt for password
hashing, at least for systems that support it. I understand why
portability is a good thing, but not if it makes the majority of systems
vulnerable.
* The chances of people downgrading from PHP 5.3+ to 5.2 are diminishing
by the day.
* Downgrading is least likely to happen on a large site with lots of
users, which is where there is the biggest potential problem.
* It would be trivial create an alert that would display if the admin
attempted to log in when passwords were bcrypted but the server didn't
support bcrypt. That way if someone does move from 5.3 to 5.2, they'd very
soon understand the problem and be able to reverse the change.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:49>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list