[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Fri Jan 1 23:45:57 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by Otto42):
Actually, looking at this one again, I think it's been so long on this one
that we should instead consider switching to the PHP 5.5+ password_hash()
function, and including a compatibility library such as
https://github.com/ircmaxell/password_compat/ for older PHP versions.
Note that that library is PHP 5.3.7+ only as well, for the same bcrypt
security reasons, so we still have issues there. We could consider
including both PHPass and the password_hash compat library, and then using
whichever makes sense for the current PHP version.
The user_pass field was expanded to 255 characters in #33904 for exactly
this reason, BTW.
Essentially, if we're going to support stronger password encryption
methods, then we're ripping the bandaid off anyway. Let's go ahead and
modernize to use the built in methods when possible. If we're have to have
PHP version checks and such anyway, then we might as well do it up right.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:66>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list