[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Mon Dec 12 13:09:26 UTC 2022
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by ryanhellyer):
https://github.com/paragonie/sodium_compat#features-excluded-from-this-
polyfill
{{{
It's not feasible to polyfill scrypt or Argon2 into PHP and get reasonable
performance. Users would feel motivated to select parameters that
downgrade security to avoid denial of service (DoS) attacks.
}}}
That seems to imply that running a simple PHP based library would not be
viable due to performance reasons, and the subsequent issues with DDOS
attacks that could occur relating to that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:136>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list