[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Oct 7 17:39:49 UTC 2015
#21022: Allow bcrypt to be enabled via filter for pass hashing
-----------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion has-patch | Focuses:
-----------------------------------+------------------------------
Changes (by chriscct7):
* keywords: 2nd-opinion 3.6-early has-patch => 2nd-opinion has-patch
Comment:
Replying to [comment:53 mojorob]:
> Replying to [comment:52 mark8barnes]:
> > Replying to [comment:51 mojorob]:
> > >Therefore is it not possible to have a check if PHP is => 5.5.0 then
use the native password hashing functions? (password_hash etc.)
> >
> > That's not the worry. The worry is that if this is enabled for PHP
5.5+, then someone downgrades from PHP 5.5 to PHP 5.3, then bcrypt will no
longer work, and people won't be able to log-in without resetting their
passwords.
>
> It is that bad for a person to click "forgot password" and have a link
emailed to them to create a new password?
Yes, because a majority of the users will know they were entering the
previously correct password and won't understand they need to reset their
passwords. Also on a larger install, with hundreds of thousands of users,
particularly if the site deals with eCommerce, this could provide for a
massive headache in terms of support.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:54>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list