[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Mon Sep 26 20:55:15 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by tomdxw):
I looked over the past year of comments on this ticket and made a TODO
list:
1. if PHP version >= 5.5.0, use the PHP function password_hash() (for
lower versions of PHP, keep using PasswordHash class from phpass)
2. if PHP version >= 5.3.7, set the $portable_hashes parameter to false
(for lower versions of PHP, leave $portable_hashes set to true)
3. when a user logs in, if the site is using bcrypt and their password is
hashed using portable hashes, update their hash to a bcrypt hash
4. when a user logs in, if the site is *not* using bcrypt and their
password is hashed using bcrypt (i.e. when PHP is downgraded),
automatically send a password reset and show a message saying "Sorry,
something has gone wrong and you must reset your password. A link has been
sent to the email address you registered with. <a
href="https://codex.wordpress.org/Foobar">More information</a>."
Does this look correct? Have I missed anything? If somebody produced a
patch containing the above changes, could we get it committed?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:79>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list