[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Mon Mar 7 16:05:23 UTC 2016

#21022: Allow bcrypt to be enabled via filter for pass hashing
 Reporter:  th23                             |       Owner:
     Type:  enhancement                      |      Status:  new
 Priority:  normal                           |   Milestone:  Awaiting
Component:  Security                         |  Review
 Severity:  normal                           |     Version:  3.4
 Keywords:  2nd-opinion has-patch 4.5-early  |  Resolution:
                                             |     Focuses:

Comment (by ryan):

 * Switch to password_hash() and password_verify(). This is very
 straightforward code. https://github.com/roots/wp-password-
 * If log in fails and password_hash() does not exist and the password hash
 is not portable, send a password reset email and show a notice on the log
 in screen explaining that password reset is required and an email has been
 sent. This will cover the scenario of someone deploying a db with
 password_hash() hashes on PHP < 5.3.7.
 * Publish a support doc and link to it from the notice.

 Should we pull in the back compat versions of password_hash() and
 password_verify() for php >= 5.3.7 and < 5.5 for the scenario of moving
 forward from phpass to password_hash()? In other words, do we want to use
 back compat versions to move sites forward or use them only for the edge
 case of deploying a database with password_hash() hashes on an old version
 of php. Not using them to move forward would mean sites with PHP < 5.5
 would stay on phpass, even if they are >= 5.3.7 and can use the back
 compat funcs.

Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:76>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list