[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Tue Sep 27 19:23:42 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by tomdxw):
Attached a patch.
- I've left the password-protected posts feature alone
- But every other place where the PasswordHash class was being used,
that's been replaced with calls to a new class (the new class still uses
HashPassword() and CheckPassword() methods so most password-handling code
is unchanged)
- The new class checks whether the PHP installation supports the
password_hash/password_verify functions (and loads a compatibility library
for PHP >= 5.3.7 and < 5.5.0)
- It falls back to using the PasswordHash class for PHP < 5.3.7
- I added two filters: one handles upgrading password hashes
automatically, and the other provides an explanation when a user logs in
and WP is unable to use the password hash found in the database
Of course it needs a bit of polish before it's ready to be committed, but
is this the right approach?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:80>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list