[wp-trac] [WordPress Trac] #56787: Recovery mode tokens can't be validated successfully if pluggable function wp_check_password is overwritten.
WordPress Trac
noreply at wordpress.org
Tue Oct 11 15:38:53 UTC 2022
#56787: Recovery mode tokens can't be validated successfully if pluggable function
wp_check_password is overwritten.
--------------------------+--------------------------------
Reporter: calvinalkan | Owner: TimothyBlynJacobs
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.2
Component: Site Health | Version: 5.2
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+--------------------------------
Comment (by calvinalkan):
Replying to [comment:1 TimothyBlynJacobs]:
> Thanks for the ticket @calvinalkan!
>
> Agreed, this should've been consistent with using or not using a
pluggable API. I'm in favor of using `PasswordHash` directly. Matching how
we handle User Request and Password Reset tokens.
Arguably even plain sha256 is enough. PasswordHash is sufficient. Anything
that uses slow hashes inside a custom pluggable function would only waste
electricity.
{{{#!php
<?php
$key = wp_generate_password( 22, false );
}}}
This has enough entropy.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56787#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list