[wp-trac] [WordPress Trac] #50027: Retire Phpass and use PHP native password hashing

WordPress Trac noreply at wordpress.org
Thu Dec 10 15:33:02 UTC 2020


#50027: Retire Phpass and use PHP native password hashing
-------------------------------------------------+-------------------------
 Reporter:  ayeshrajans                          |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  2nd-opinion needs-unit-tests needs-  |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by stgoos):

 I follow the original ticket for years now and with the minimum PHP
 requirement for WordPress now being at 5.6 it's about time to get this
 finally sorted in my opinion.

 Btw - my 2 cents regarding your 2nd point:

   2.Expose a filter for plugins\\
   ... We can expose a filter that WordPress core emits so plugins can
 change the hashing algorithm if necessary.

 Is that desireable at all? Shouldn't this be controlled via a setting in
 wp-config.php which makes it clear that the WordPress installation will
 use an alternative hashing algorithm instead?
 That way no one can be taken by surprise that the passwords have been
 changed by simply activating a plugin that for some reason feels the need
 to use an alternative hashing algorithm.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50027#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list