[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Sat Jan 2 00:23:27 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by mojorob):
Replying to [comment:66 Otto42]:
> Actually, looking at this one again, I think it's been so long on this
one that we should instead consider switching to the PHP 5.5+
password_hash() function, and including a compatibility library such as
https://github.com/ircmaxell/password_compat/ for older PHP versions.
I suggested the (PHP5.5+) native password_hash 3 months ago, and I still
think it's the way to go. So I would agree with such a switch.
All except one of the WordPress sites I look after are now running on
PHP7, and still using the wp-bcrypt plugin due to what some might suggest
is an excessive need to retain backward compatibility. Surely when it
comes to password security a better approach is to keep up with standards
for those who can. For those who can't/won't then include an alternative
as suggested. As mentioned before when there is a downgrade of PHP on a
live site, then it could be made to have minimal impact - any large sites
would (should?) know of potential issues when downgrading PHP.
Rather than simply having bcrypt in WP4.5, I'd suggest moving over to
native password_hash in a manner suggested by Otto.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:67>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list