[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Oct 7 17:53:13 UTC 2015
#21022: Allow bcrypt to be enabled via filter for pass hashing
-----------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion has-patch | Focuses:
-----------------------------------+------------------------------
Comment (by mojorob):
Replying to [comment:54 chriscct7]:
> Replying to [comment:53 mojorob]:
> > Replying to [comment:52 mark8barnes]:
> > > Replying to [comment:51 mojorob]:
> > > >Therefore is it not possible to have a check if PHP is => 5.5.0
then use the native password hashing functions? (password_hash etc.)
> > >
> > > That's not the worry. The worry is that if this is enabled for PHP
5.5+, then someone downgrades from PHP 5.5 to PHP 5.3, then bcrypt will no
longer work, and people won't be able to log-in without resetting their
passwords.
> >
> > It is that bad for a person to click "forgot password" and have a link
emailed to them to create a new password?
>
> Yes, because a majority of the users will know they were entering the
previously correct password and won't understand they need to reset their
passwords. Also on a larger install, with hundreds of thousands of users,
particularly if the site deals with eCommerce, this could provide for a
massive headache in terms of support.
Then we're back to a point earlier made by someone else that "it would be
trivial to create an alert that would display if the admin attempted to
log in when passwords were bcrypted but the server didn't support bcrypt."
In that case the request link form can be shown for everyone when login
fails the first time (not just admin), and additionally an email sent to
admin to alert them. A simple message saying something like "we have
changed our login system and require everyone to reset their passwords"
could help too.
However, for the kind of sites you mention I would have thought the admins
would know what they're doing, and the user case is quite small.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:55>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list