id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
21022,Allow bcrypt to be enabled via filter for pass hashing,th23,,"Hi,

following recent discussions on password security and how to best prevent any hackers can leverage password table they might have got I looked into the phpass used for WordPress.

While I in principle understand why WordPress uses the compatibility mode of it, I would like to see some flexibility for those who don't need the compatibility.

Thus I would propose to change in wp-includes/pluggable.php all occurances of

$wp_hasher = new PasswordHash(8, true);

to

$wp_hasher = new PasswordHash(8, apply_filters('phpass_compatibility_mode', true));

This would allow users to easily change via plugin from the ""not so secure"" compatibility mode (only salted MD5) of phpass to a more secure setting (bcrypt) in case no compatibility with other applications is required.

The plugin changing the encryption methog could then as easy as

function phpass_bcrypt() {
	return false;
}
add_filter('phpass_compatibility_mode', 'phpass_bcrypt');",enhancement,new,normal,Awaiting Review,Security,3.4,normal,,2nd-opinion 3.6-early,info@… tom@… mike@… ian_dunn@… travis@…