[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Sep 18 04:50:04 UTC 2019
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by deadduck169):
I think you guys are way over-complicating things here:
1) Always use complete cryptographically secure hashing algorithms. These
have been tried and tested for years, whereas their truncated forms have
not. Truncated hashes are therefore insecure and using them means you're
essentially rolling your own crypto.
2) Bcrypt allows up to 72 bytes (576 bits) of input. SHA-512 produces a
64-bit (512 byte) hash, which fits perfectly in Bcrypt, with space left
over. There's absolutely no reason you can't input binary:
{{{#!php
<?php
$password = 'test';
$sha512_hash = hash('sha512', $password);
$binary = hex2bin($sha512_hash);
$password_hash = password_hash($binary, PASSWORD_DEFAULT);
var_dump(password_verify($binary, $password_hash)); // Output: bool(true)
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:118>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list