[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Wed Sep 18 00:47:52 UTC 2019 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------

Comment (by my1xt):

 regarding the red herring and all the other I am gonna make an extra
 comment just that it is easier to read.


 Let's be honest:
 {{{#!php
 <?php
 password_hash(base64($password),PASSWORD_BCRYPT)
 }}}
 is one of the dumbest ideas ever aside from a little bit of rainbow table
 prevention, because it limits our options even further, as we actually
 artificially inflate the password.

 the base64 character output is (ignoring padding) is 4/3 of the input. so
 basically flipping this upside down, the input is 3/4 of the output,
 meaning we would be down to 54 characters before base64, so let's just not
 do that.

 ----

 about using password_DEFAULT instead of forcing bcrypt, while I am
 generally in big favor of argon there are 2 problems with that.

 1) PHP spec says that password default can apply already 1 version after
 an algorithm has been introduced, meaning that a release without that new
 hash can be still on the supported list as security only (they generally
 support 3 at a time, with the last one being security only)

 2) Argon2 shows the VERY real problem that just because you have a PHP
 version you aren't guaranteed to have a certain hash function

 3) the idea of downgrading PHP on migration or whatever seems very real
 here in WP, after all this is what holds/held back this for SEVEN YEARS
 already.

 so currently sadly bcrypt is the only really available hash function, even
 though I am not happy with it myself.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:117>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list