[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Thu Jul 11 18:01:23 UTC 2019
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by paragoninitiativeenterprises):
> I'm not a programmer, but Dropbox has probably a nice approach to this
problem - using SHA512 along with the bcrypt.
[https://paragonie.com/blog/2016/02/how-safely-store-password-
in-2016#bcrypt Proceed with caution].
The best strategy here, in our opinion, would be to
`base64_encode(hash('', '', true))` instead of `hash('', '')`. You'll get
a higher information density before the 72 character truncation.
Even unmodified bcrypt is a lot more secure than the current state of
affairs with MD5. Bcrypt-SHA2 is the most robust strategy until the whole
world can move on to Argon2.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:111>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list