[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Tue Oct 24 08:26:08 UTC 2017
#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future
Component: Security | Release
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch needs-testing | Resolution:
4.9-early | Focuses:
-------------------------------------------------+-------------------------
Comment (by my1xt):
@swalkinshaw full ack on what you say.
but when it is so '''desperately''' needed to use some portable hash, why
not use an at least marginally safer hash as a base like sha256 or sha512
and iterate on that.
Sure this isnt a very good Idea, but it certainly is better than MD5 and
should fullfill the compatibility down to PHP5.2 as I went into the museum
of the PHP releases grabbed PHP 5.2.0, started up a shell and let it list
hash_algos which had SHA512.
but the keyword stays on desperately. the approach of either
1) just using whats available and when someone really is either stupid or
unlucky enough to downgrade to 5.2, they should reset the password
2) axing off PHP<5.3.7 completely in the next major and going full on the
password_hash
should really be done rather than upgrading the utterly crappy portable
password hash into a less junk but still pretty bad but portable password
hash.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:94>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list