[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing

WordPress Trac noreply at wordpress.org
Wed Apr 29 18:48:03 UTC 2020 

#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
 Reporter:  ayeshrajans                          |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  2nd-opinion needs-unit-tests needs-  |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by ayeshrajans):

 thank you @bgermann - I agree with the filters for password rules. I
 wonder if there is any filters already to validate an incoming password
 (such as a strength check for passwords when user enters a new password).

 @Otto42 - the 72 byte limit is from bceyot and not PHP itself. regardless
 of the caller, bcryot will truncate I out to 72 bytes.

 I also always typed 72 "bytes" because that's what matters for bcrypt. For
 a typical password that's typed on a US keyboard layout (ASCII and a few
 more Latin characters), the character count is the same as byte count. We
 will be using UTF-8, which means we will use the least amount of bytes per
 character (compared to UTF-16 and 32). The upper limit for password length
 would be between 72 ASCII characters or 18 complex emojis (such country
 flags, or thumbs up emojos with a specific color.


 as for the portability, I understand the hashes would be a deterministic
 function. it loses portability as in you cannot use the same password
 hashes between two different systems. for example, one might have a
 Laravel application that uses WordPress users table to authenticate users.
 if we were to impose any pre-processing for the password before it goes
 through password_hash(), all other systems need to do this now, thus,
 losing the portability. ideally one would be able to throw in an ORM to
 WordPress users table and authenticate users.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list