[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Sep 18 05:41:08 UTC 2019
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by paragoninitiativeenterprises):
> There's absolutely no reason you can't input binary:
What do you think the output of the following code would be?
{{{
<?php
$correctPW = '34a124424f065ae13936064ab366d9';
$bad = 'be6759bc425ed7b26c177cf53af82b1ed519';
$hash = password_hash(hash('sha512', $correctPW, true), PASSWORD_BCRYPT);
var_dump(
password_verify(
hash('sha512', $bad, true),
$hash
)
);
}}}
I'll give you a hint: https://paragonie.com/blog/2016/02/how-safely-store-
password-in-2016#bcrypt
Code output: https://3v4l.org/2FTaS
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:119>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list