[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Sat Mar 5 04:20:57 UTC 2016

#21022: Allow bcrypt to be enabled via filter for pass hashing
 Reporter:  th23                             |       Owner:
     Type:  enhancement                      |      Status:  new
 Priority:  normal                           |   Milestone:  Awaiting
Component:  Security                         |  Review
 Severity:  normal                           |     Version:  3.4
 Keywords:  2nd-opinion has-patch 4.5-early  |  Resolution:
                                             |     Focuses:

Comment (by DeveloperWil):

 I like @dd32's idea of simply adding a email and password reset for
 passwords that cannot be decrypted.

 You could even pre-empt issues by storing the current PHP version in the
 DB during the update check and trigger at the very least an admin email
 when the version of PHP has been changed, or especially so, downgraded.

 That would at least give site owners information on why a site has "broke"
 as in @mattheweppelsheimer's examples.

 Storing the PHP version in the DB could also enable secure password
 hashing on new installations if PHP >= 5.5

 Considering how insecure MD5 is and how many sites are powered by
 WordPress can this issue get some traction?

Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:74>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list