[wp-trac] [WordPress Trac] #39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3

WordPress Trac noreply at wordpress.org
Mon Jun 25 08:37:42 UTC 2018 

#39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
------------------------------------------+----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  (none)
     Type:  enhancement                   |      Status:  closed
 Priority:  normal                        |   Milestone:
Component:  Security                      |     Version:  4.8
 Severity:  normal                        |  Resolution:  wontfix
 Keywords:                                |     Focuses:
------------------------------------------+----------------------

Comment (by my1xt):

 Sorry for Blasting a comment on this old bug, but I wanted to drop a few
 words on this.

 Actually There are a few things that can be updated and a few things
 making this proposal way out of proportion for a general-purpose thing
 like WP.

 The Good thing is Argon2i isnt the only usable way of Argon2 by now, but
 we also have argon2id which is a lot more resistant to tradeoffs and
 wouldnt need multiple rounds but can apparently survive with just one,
 making this a lot less of an issue.

 but still I think this idea is probably doomed for a about 1 and a half
 (argon2i) 2 and a half years (argon2id).

 The problem with the approach planned would be to use Sodium, which
 obviously has the problem of, well, using sodium, or rather a PHP
 extension, which probably isnt widely deployed in general. that would lead
 to people use older WP versions which all have their own problems and kill
 auto update, because an update would totally kill off their sites if we
 would make sodium a requirement.

 Instead going to ax off PHP<5.3.7 and going for bcrypt would probably be
 the best way to start and after that starting to move everything towards
 only supported versions of PHP, which, 2 years after PHP7.2 for argon2i
 and 2 years after 7.3 for Argon2id would mean all versions supported by
 PHP would have those hashes available in password_hash without even
 relying on a core extension, that might not be enabled.

 although even that will probably take a while since there are still
 2.9-10.4% of WP Users on a version which cant do bcrypt properly (2.9 are
 on 5.2 which definitely isnt going to workm while 7.5 are on 5.3, but
 without stats about the patch version we wouldnt have accurate numbers).

 Maybe the numbers shift a bit again when PHP5 as a whole gets dropped at
 the end of this year.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39499#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list