[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing
WordPress Trac
noreply at wordpress.org
Wed Apr 29 15:35:32 UTC 2020
#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
Reporter: ayeshrajans | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion needs-unit-tests needs- | Focuses:
patch |
-------------------------------------------------+-------------------------
Comment (by ayeshrajans):
Thanks a lot for the in-depth comment @Otto42, very helpful.
In that plugin, one of the use cases was to make it possible for WordPress
and a custom site to share login, so having raw passwords gone through
`password_hash` helped to keep things cleaner, so it became a design
choice to ignore the 72 char limit.
I see the points raised about bcrypt's 72 byte limitation, and while they
are valid and can solve the very problem of "unlimited" length passwords,
I would like to propose that we do not pre-hash passwords.
Can we simplify this? We have two approaches:
- Ignore that bcrypt truncates beyond 72 bytes. Hard-reject at 4096 bytes
regardless of the hashing algorithm (bcrypt, argon2, etc). This introduces
no BC backwards, and will allow us to accept longer passwords (So `correct
horse battery staple`-akin passwords are allowed). As for security, I
would argue that beyond the sensible password length or a 30-40 bytes,
brute-forcing passwords is impractical for everyone unless they have
billions of years to do it.
- If the password hashing algo is bcrypt, we throw an error for inputs
larger than 72 bytes. This is exactly what
[https://github.com/symfony/security/blob/3dcb8400076290d67bcd13832460da0d93c7a35c/Core/Encoder/NativePasswordEncoder.php#L65
symfony/security component does], and it probably is the least surprising
way, although we break BC for those who use quarter a tweet for their
password.
Both approaches above will make the password hashes truly portable and
make it easier to integrate WordPress with other platforms, be it
importing users to WordPress, exporting WordPress users to another, or
cross-authentication.
> c) @mbijon suggested using batch processing and usermeta. This is not
necessary, nor actually possible. The conversion process would need the
original password input by the user, so it can only be done at the time
they actually login, same as the old MD5 upgrade process. So, we modify
the existing process to upgrade from old $P passwords to new ones in the
exact same manner as it currently does for MD5 hashes.
You are right we will not be able to batch-process passwords, nor it would
be a good idea to have millions of WordPress sites suddenly bcrypt
millions of strings during an update.
> d) Centralize the use of password_hash (and password_verify), so that
filters can be applied to it across the board, in case somebody wants to
change $algo or $options.
Someone also mentioned config.php directive too, noting that it is too
much of a responsibility for a plugin to alter hashing algorithms mid-
flight. But I agree that it should be neatly centralized and allow room
for modifications.
> e) For obvious reasons, the phpass library will need to remain to verify
existing hashes before they are upgraded. No plans to remove or deprecate
it are necessary. We still convert old MD5 hashes, after all.
Yep. It's a small-enough library and it is only loaded on-demand even at
this point. It's a third party library, but it would be nicer to have
`hash_equals()` in there instead of the current `===` comparator.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list