[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Mon Jan 4 06:36:43 UTC 2016 

#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
 Reporter:  th23                             |       Owner:
     Type:  enhancement                      |      Status:  new
 Priority:  normal                           |   Milestone:  Awaiting
Component:  Security                         |  Review
 Severity:  normal                           |     Version:  3.4
 Keywords:  2nd-opinion has-patch 4.5-early  |  Resolution:
                                             |     Focuses:
---------------------------------------------+-----------------------------

Comment (by nacin):

 Replying to @Otto42:
 > If the password-hash is detectable

 The password algorithm is stored as the first few characters. `$P$` are
 portable hashes, `$H$` are phpBB portable hashes, `$2a$` is bcrypt, `$2y$`
 is bcrypt generated by `crypt()` >= PHP 5.3.7.

 My comment didn't suggest using phpass over `password_hash()`. Yes, we
 should probably look at `password_hash()` so we don't need to worry about
 phpass's internal salt generation. (That said, the author of phpass is
 also the author of crypt_blowfish.)

 Replying to @dd32:
 > Using `password_hash()` in 5.5+ could be a better idea than switching to
 bcrypt with phpass directly, however, with only ~35% of 4.3/4.4 sites
 running PHP 5.5/5.6/7 the user experience of a PHP downgrade (no matter
 how rare) would need to be far better than simply using phpass+bcrypt in
 PHP 5.3.7+. The number of hosts which are still PHP 5.4 is common enough
 that a user may switch to one.

 It's actually possible we could do 5.5 + `password_hash( $algo =
 PASSWORD_BCRYPT )` and still be portable down to 5.3.7 without changing
 anything, because phpass simply uses `crypt()` internally so we'd be able
 to evaluate a `$2y$` hash. So I'm not actually sure we'd need to use
 password_compat.

 I'd be mostly interested in figuring out where exactly the new stuff
 should go. If we do it in our pluggable functions, we'll need to check if
 we're using portable hashes ($P$, $H$) there so we can send it to phpass
 (and then upgrade it), otherwise we'll need to put this into phpass.
 Sounds like we may need our own way to encapsulate (and to get this logic
 out of pluggable functions).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:71>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list