Index: wp-login.php
===================================================================
--- wp-login.php	(revision 15937)
+++ wp-login.php	(working copy)
@@ -461,7 +461,7 @@
 	if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] ) {
 		$errors = new WP_Error('password_reset_mismatch', __('The passwords do not match.'));
 	} elseif ( isset($_POST['pass1']) && !empty($_POST['pass1']) ) {
-		reset_password($user, $_POST['pass1']);
+		reset_password($user, stripslashes($_POST['pass1']));
 		login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . ' <a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a></p>');
 		login_footer();
 		exit;
Index: wp-includes/user.php
===================================================================
--- wp-includes/user.php	(revision 15937)
+++ wp-includes/user.php	(working copy)
@@ -27,7 +27,7 @@
 		if ( ! empty($_POST['log']) )
 			$credentials['user_login'] = $_POST['log'];
 		if ( ! empty($_POST['pwd']) )
-			$credentials['user_password'] = $_POST['pwd'];
+			$credentials['user_password'] = stripslashes($_POST['pwd']);
 		if ( ! empty($_POST['rememberme']) )
 			$credentials['remember'] = $_POST['rememberme'];
 	}
Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php	(revision 15937)
+++ wp-includes/pluggable.php	(working copy)
@@ -1459,9 +1459,17 @@
 function wp_check_password($password, $hash, $user_id = '') {
 	global $wp_hasher;
 
+	/*
+	 * For a long time WordPress did not stripslash() passwords in $_POST.
+	 * To handle password hashes created during that time we must therefore
+	 * also check against addslashed passwords and update hash on match.
+	 */
+
 	// If the hash is still md5...
 	if ( strlen($hash) <= 32 ) {
 		$check = ( $hash == md5($password) );
+		if (!$check)
+			$check = ( $hash == md5(addslashes($password)) );
 		if ( $check && $user_id ) {
 			// Rehash using new hash.
 			wp_set_password($password, $user_id);
@@ -1481,6 +1489,16 @@
 
 	$check = $wp_hasher->CheckPassword($password, $hash);
 
+	// Also check using slashed password, and migrate if necessary
+	if ( !$check && $user_id ) {
+		$check = $wp_hasher->CheckPassword(addslashes($password), $hash);
+		if ( $check  ) {
+			// Rehash with correct password
+			wp_set_password($password, $user_id);
+			$hash = wp_hash_password($password);
+		}
+	}
+
 	return apply_filters('check_password', $check, $password, $hash, $user_id);
 }
 endif;
Index: wp-admin/includes/user.php
===================================================================
--- wp-admin/includes/user.php	(revision 15937)
+++ wp-admin/includes/user.php	(working copy)
@@ -70,9 +70,9 @@
 
 	$pass1 = $pass2 = '';
 	if ( isset( $_POST['pass1'] ))
-		$pass1 = $_POST['pass1'];
+		$pass1 = stripslashes($_POST['pass1']);
 	if ( isset( $_POST['pass2'] ))
-		$pass2 = $_POST['pass2'];
+		$pass2 = stripslashes($_POST['pass2']);
 
 	if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
 		$new_role = sanitize_text_field( $_POST['role'] );
@@ -148,7 +148,7 @@
 	}
 
 	/* Check for "\" in password */
-	if ( false !== strpos( stripslashes($pass1), "\\" ) )
+	if ( false !== strpos( $pass1, "\\" ) )
 		$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
 
 	/* checking the password has been typed twice the same */
Index: wp-admin/install.php
===================================================================
--- wp-admin/install.php	(revision 15937)
+++ wp-admin/install.php	(working copy)
@@ -183,8 +183,8 @@
 		// Fill in the data we gathered
 		$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
 		$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
-		$admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
-		$admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
+		$admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
+		$admin_password_check = isset($_POST['admin_password2']) ? trim( stripslashes( $_POST['admin_password2'] ) ) : '';
 		$admin_email  = isset( $_POST['admin_email']  ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
 		$public       = isset( $_POST['blog_public']  ) ? (int) $_POST['blog_public'] : 0;
 		// check e-mail address