[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

Sat Aug 1 19:05:48 UTC 2020

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------
Description changed by SergeyBiryukov:

Old description:

> Hi,
>
> following recent discussions on password security and how to best prevent
> any hackers can leverage password table they might have got I looked into
> the phpass used for WordPress.
>
> While I in principle understand why WordPress uses the compatibility mode
> of it, I would like to see some flexibility for those who don't need the
> compatibility.
>
> Thus I would propose to change in wp-includes/pluggable.php all
> occurances of
>
> $wp_hasher = new PasswordHash(8, true);
>
> to
>
> $wp_hasher = new PasswordHash(8,
> apply_filters('phpass_compatibility_mode', true));
>
> This would allow users to easily change via plugin from the "not so
> secure" compatibility mode (only salted MD5) of phpass to a more secure
> setting (bcrypt) in case no compatibility with other applications is
> required.
>
> The plugin changing the encryption methog could then as easy as
>
> function phpass_bcrypt() {
>         return false;
> }
> add_filter('phpass_compatibility_mode', 'phpass_bcrypt');

New description:

 Hi,

 following recent discussions on password security and how to best prevent
 any hackers can leverage password table they might have got I looked into
 the phpass used for WordPress.

 While I in principle understand why WordPress uses the compatibility mode
 of it, I would like to see some flexibility for those who don't need the
 compatibility.

 Thus I would propose to change in wp-includes/pluggable.php all occurances
 of
 {{{
 $wp_hasher = new PasswordHash(8, true);
 }}}
 to
 {{{
 $wp_hasher = new PasswordHash(8,
 apply_filters('phpass_compatibility_mode', true));
 }}}
 This would allow users to easily change via plugin from the "not so
 secure" compatibility mode (only salted MD5) of phpass to a more secure
 setting (bcrypt) in case no compatibility with other applications is
 required.

 The plugin changing the encryption methog could then as easy as
 {{{
 function phpass_bcrypt() {
         return false;
 }
 add_filter('phpass_compatibility_mode', 'phpass_bcrypt');
 }}}

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:125>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform