[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Sep 18 07:13:44 UTC 2019
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by paragoninitiativeenterprises):
Replying to [comment:121 mbijon]:
> Funny @paragoninitiativeenterprises, I just found the pointer
dereference in PHP's bcrypt: https://github.com/php/php-
src/blob/master/ext/standard/crypt_blowfish.c#L613. Combining crypto
methods is never a good idea, eh.
Most cryptography vulnerabilities exist in the mortar, not the bricks.
> I can't help but worry your bcrypt-sha512-base64 solution will make
jumping to `PASSWORD-DEFAULT` harder @paragoninitiativeenterprises. But
heck! it's still 10^6^ better than SHA, and way closer to vanilla
`password_hash()` than we have now.
It won't make it significantly difficult.
We just need to ensure a reasonable migration path exists for post-bcrypt
password hashes, in the same spirit as https://paragonie.com/blog/2016/02
/how-safely-store-password-in-2016#legacy-hashes and
https://make.wordpress.org/core/2019/05/17/security-in-5-2
Back on focus: This ticket was originally targeting WordPress 3.4 when a
PHP 5.2 minimum was unlike to change.
Surely with a minimum PHP of 5.6 (the story today) we can seriously
consider migrating to bcrypt in a near-future release?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:122>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list