[wp-trac] [WordPress Trac] #39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
WordPress Trac
noreply at wordpress.org
Tue Jan 10 22:59:58 UTC 2017
#39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
------------------------------------------+------------------------------
Reporter: paragoninitiativeenterprises | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
------------------------------------------+------------------------------
Changes (by paragoninitiativeenterprises):
* status: new => closed
* resolution: => wontfix
Comment:
Upon closer analysis, this may be a doomed prospect.
Argon2i via `\Sodium\crypto_pwhash()` (with the `*_INTERACTIVE` constants)
takes about 100ms to calculate on my machine (and requires 32 MB of
memory).
My PHP implementation is already taking several seconds with the same
memory/iteration parameters. Libsodium itself won't allow memory values
below 32 MB, so weakening security is not possible for compatibility.
I'll update this ticket if I can get the performance reasonable, but a
better idea might be just to polyfill bcrypt so PHP 5.2.4 - 5.3.7 can use
password_compat.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39499#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list