[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Mon Mar 7 16:05:23 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by ryan):
* Switch to password_hash() and password_verify(). This is very
straightforward code. https://github.com/roots/wp-password-
bcrypt/blob/master/wp-password-bcrypt.php
* If log in fails and password_hash() does not exist and the password hash
is not portable, send a password reset email and show a notice on the log
in screen explaining that password reset is required and an email has been
sent. This will cover the scenario of someone deploying a db with
password_hash() hashes on PHP < 5.3.7.
* Publish a support doc and link to it from the notice.
Should we pull in the back compat versions of password_hash() and
password_verify() for php >= 5.3.7 and < 5.5 for the scenario of moving
forward from phpass to password_hash()? In other words, do we want to use
back compat versions to move sites forward or use them only for the edge
case of deploying a database with password_hash() hashes on an old version
of php. Not using them to move forward would mean sites with PHP < 5.5
would stay on phpass, even if they are >= 5.3.7 and can use the back
compat funcs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:76>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list