[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Sat Jan 2 01:37:12 UTC 2016 

#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
 Reporter:  th23                             |       Owner:
     Type:  enhancement                      |      Status:  new
 Priority:  normal                           |   Milestone:  Awaiting
Component:  Security                         |  Review
 Severity:  normal                           |     Version:  3.4
 Keywords:  2nd-opinion has-patch 4.5-early  |  Resolution:
                                             |     Focuses:
---------------------------------------------+-----------------------------

Comment (by dd32):

 > I'd like to see what kind of stats we have on .org that can help us
 understand how often a site downgrades the PHP version.

 Unfortunately our stats for this are not very good, it appears that
 there's probably a lot of sites which are switching between versions of
 PHP very often which is making our stats very noisy - I'm going to assume
 these are test or dev sites..

 I don't think a user would intentionally switch to another host which runs
 PHP 5.2, however someone who maintains WordPress sites might move a site
 onto their infrastructure, and run into that problem. I don't see this
 being an issue to that segment of users though.

 Using `password_hash()` in 5.5+ could be a better idea than switching to
 bcrypt with phpass directly, however, with only ~35% of 4.3/4.4 sites
 running PHP 5.5/5.6/7 the user experience of a PHP downgrade (no matter
 how rare) would need to be far better than simply using phpass+bcrypt in
 PHP 5.3.7+. The number of hosts which are still PHP 5.4 is common enough
 that a user may switch to one.

 I do however wonder if the ideal user experience would simply be a login
 error with a link to WordPress.org & a password reset email, is something
 such as `Whoops! PHP can no longer decrypt your password, <a
 href="w.org">find out why</a> or <a>reset your password</a>` as user
 friendly as the rest of WordPress which just works?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:68>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list