[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Oct 7 17:27:42 UTC 2015
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion 3.6-early has-patch | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by mojorob):
Replying to [comment:52 mark8barnes]:
> Replying to [comment:51 mojorob]:
> >Therefore is it not possible to have a check if PHP is => 5.5.0 then
use the native password hashing functions? (password_hash etc.)
>
> That's not the worry. The worry is that if this is enabled for PHP 5.5+,
then someone downgrades from PHP 5.5 to PHP 5.3, then bcrypt will no
longer work, and people won't be able to log-in without resetting their
passwords.
It is that bad for a person to click "forgot password" and have a link
emailed to them to create a new password?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:53>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list