[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing

Wed Apr 29 10:36:12 UTC 2020

#50027: Retire Phpass and use PHP native password hashing
-------------------------+-------------------------------------------------
 Reporter:  ayeshrajans  |      Owner:  (none)
     Type:  defect       |     Status:  new
  (bug)                  |
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:
 Severity:  normal       |   Keywords:  2nd-opinion needs-unit-tests needs-
  Focuses:               |  patch
-------------------------+-------------------------------------------------
 PHP comes with built-in password hashing functions since PHP 5.5. Now that
 we have updated the minimum requirements to PHP 5.6, we can rely on PHP to
 provide us with password hashing mechanisms that ensures a
 cryptographically secure random numbers are are used for salt, and the
 hashes are backwards compatible.

 I created and maintain [https://wordpress.org/plugins/password-hash/ PHP
 Native Password Hash] plugin to swap WordPress's baked in Phpass with
 PHPs.

 **0.Phpass recommends to use PHP native hashing**

 > At this time, if your new project can afford to require PHP 5.5+, which
 it should, please use PHP's native password_hash() / password_verify() API
 instead of phpass.

 I propose that we upgrade the hashing mechanisms to
 password_hash()/password_verify/password_needs_rehash() combo.

 **1.We do not need to force users to change their passwords.**

 Phpass-hashed passwords have the signature `$P`, and the very old MD5
 hashes are fewer than 32 characters long. We will inspect the signature
 first, and if the password is using the old standard, we will validate the
 password one last-time, and then use password_hash() to rehash it. From
 this point forward, that user is "upgraded" to the new mechanism.

 **2.Expose a filter for plugins**

 The plugin I maintain supports BCrypt, Argon2I, and Argon2ID for hashing.
 We can expose a filter that WordPress core emits so plugins can change the
 hashing algorithm if necessary.

 **3.Use BCrypt as the default algorithm**

 If a plugin does not take over, WordPress core will use BCrypt. BCrypt is
 secure, and is available in any PHP version 5.5, 5.6, 7.* and 8.*.

 **4.Do not remove Phpass**

 We will **not** remove Phpass from WordPress core. This is needed for
 backwards compatibility to ensure that existing users will eventually be
 updated.

 The end goal is that we seamlessly migrate active users passwords to
 better mechanisms without breaking functionality for existing users.
 Frameworks such as Drupal and phpBB (which used phpass in the past) have
 moved to better mechanisms since the minimum required PHP versions have
 been updated, and we can easily follow suit.

 If the maintainers agree, I would be overjoyed to collaborate on patches.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50027>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform