[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing
WordPress Trac
noreply at wordpress.org
Wed Apr 29 16:59:17 UTC 2020
#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
Reporter: ayeshrajans | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion needs-unit-tests needs- | Focuses:
patch |
-------------------------------------------------+-------------------------
Comment (by Otto42):
I do understand that prehashing the password is a bad-thing because of the
reduction of entropy, and that the likelihood of somebody using a 72 byte
password is slim. However, given 4 byte character encodings being likely
going forward, then this is a real issue. Albeit perhaps not one to be
addressed directly in this fashion.
Is there any indication that PHP is going to address the 72 byte issue
going forward, in some kind of reasonable time frame? If there is, then
using a straight `password_hash()` and implementing
`password_needs_rehash()` in the login would be secure-enough to stick
with PHP defaults.
I know that ARGON2 was considered at being the new default over bcrypt at
some point, and it doesn't have a length limitation. But I have not seen
any progress on if/when that will become the default algo used.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list