[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Tue Dec 3 09:46:26 UTC 2024
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by mslavco):
There are no coverage tests regarding effects against WP core as a whole,
let we check how XMLRPC system.multicall would behave from DoS or
application passwords from TTB perspective.
Here are simple benchmark results
{{{
WordPress Hash:
Time Taken: 0.00169 seconds
Hash: $P$Bzw6UBhVjz0K5QWG.iHG52g2lrA7dS0
Bcrypt (Cost 10):
Time Taken: 0.064304 seconds
Hash: $2y$10$c20BhLvwDSRjNZESRZsbtuu1IA5f7o7Q.BbxmG2Tzofm5C2dI87jC
Bcrypt (Cost 12):
Time Taken: 0.218802 seconds
Hash: $2y$12$b9tSyf0J4bfHn/nhW/8n.u0QEYXCgvMBrILEjjXogQF0D4gvZn8Ca
}}}
for the following pseudo code
{{{
$p = "1234567890";
wp_hash_password($p);
//vs
password_hash($p, PASSWORD_BCRYPT, 10);
//vs
password_hash($p, PASSWORD_BCRYPT, 12);
}}}
Bcrypt with cost 12 will become/it is default in PHP 8.4. I understand we
have no control over PHP, but critical changes/patches like this should be
audited with backward and forward compatibility in mind against every
existing (maybe against future/planned) functionality in the core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:184>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list