[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Fri Jan 1 23:29:02 UTC 2016 

#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
 Reporter:  th23                             |       Owner:
     Type:  enhancement                      |      Status:  new
 Priority:  normal                           |   Milestone:  Awaiting
Component:  Security                         |  Review
 Severity:  normal                           |     Version:  3.4
 Keywords:  2nd-opinion has-patch 4.5-early  |  Resolution:
                                             |     Focuses:
---------------------------------------------+-----------------------------

Comment (by nacin):

 Replying to [comment:16 harrym]:
 > Switching to bcrypt as the default will only affect a very small number
 of people (if any) who go from a newer version of PHP to an older one.

 This remains my three-year-old concern here. I believe this is a
 substantially less of a concern of mine now, given that our 5.2 numbers
 have continued to erode and are under 10% at this time. It's always been
 unlikely for anyone to deliberately deploy downward to 5.2; but it's now
 also increasingly unlikely odds for anyone to unwittingly to move to a
 different host and end up on 5.2.

 HOWEVER, we need to handle this with good UX. What does that mean? If you
 try to log in on a site and the password hash for the account you are
 trying to log into is `$2a$`, and your site does not support bcrypt, then
 we need to give them an error message and take them to a very, very good
 documentation page on wordpress.org.

 Additionally, PHP < 5.3.7 has a vulnerability in the Blowfish
 implementation. We will need to decide if we should skip < 5.3.7, rather
 than just < 5.2, when turning on Blowfish. That will likely be the
 cleanest way to do this, based on my rusty understanding of CVE-2011-2483.
 For more, start with http://www.openwall.com/lists/announce/2011/06/21/1
 and http://php.net/security/crypt_blowfish.php.

 Finally, I'd like to see what kind of stats we have on .org that can help
 us understand how often a site downgrades the PHP version. I'm asking
 @dd32 for help there.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:65>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list