[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing
WordPress Trac
noreply at wordpress.org
Wed Apr 29 21:10:07 UTC 2020
#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
Reporter: ayeshrajans | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion needs-unit-tests needs- | Focuses:
patch |
-------------------------------------------------+-------------------------
Comment (by deadduck169):
You definitely want to avoid truncating the hash at all costs. SHA2
algorithms are secure when the entire hash is included, whereas truncated
hashes are not proven to be secure and could introduce a vulnerability.
I also second the motion to just let passwords be truncated at 72 bytes.
Arguably you are not adding any additional security at the password at
this point. There are currently 143859 Unicode characters defined (and
growing) out of over 1.1 million possible characters. This means that
there are currently about 10^92 possible 18 character Unicode passwords
(i.e. more than the total number of atoms in the known universe). I doubt
the security bottleneck will be in your password at that point.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list