[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing

WordPress Trac noreply at wordpress.org
Wed Apr 29 16:59:17 UTC 2020


#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
 Reporter:  ayeshrajans                          |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  2nd-opinion needs-unit-tests needs-  |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by Otto42):

 I do understand that prehashing the password is a bad-thing because of the
 reduction of entropy, and that the likelihood of somebody using a 72 byte
 password is slim. However, given 4 byte character encodings being likely
 going forward, then this is a real issue. Albeit perhaps not one to be
 addressed directly in this fashion.

 Is there any indication that PHP is going to address the 72 byte issue
 going forward, in some kind of reasonable time frame? If there is, then
 using a straight `password_hash()` and implementing
 `password_needs_rehash()` in the login would be secure-enough to stick
 with PHP defaults.

 I know that ARGON2 was considered at being the new default over bcrypt at
 some point, and it doesn't have a length limitation. But I have not seen
 any progress on if/when that will become the default algo used.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list