[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Fri Oct 9 13:14:02 UTC 2015
#21022: Allow bcrypt to be enabled via filter for pass hashing
-----------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion has-patch | Focuses:
-----------------------------------+------------------------------
Comment (by tomdxw):
One thing that I haven't seen mentioned in this ticket is silently
upgrading password hashes. This bit of code updates a user's password hash
when they log in if they're still using the compatible hashing scheme:
{{{
add_filter('check_password', 'my_check_password', 10, 4);
function my_check_password($check='', $password='', $hash='', $user_id='')
{
if($check && substr($hash, 0, 3) == '$P$') {
wp_set_password($password, $user_id);
}
return $check;
}
}}}
Is it worth including some functionality like that in this ticket? If not,
then password hashes will only get updated when users reset their
passwords, which means that even after admins upgrade to the latest
version of WP it could still be years in the future when the majority of
their users are using bcrypt.
Also, note that when the password hashing algorithm is bcrypt, the
password reset process breaks. See ticket #33904.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:62>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list