Changeset 59828 for trunk/src/wp-includes/class-wp-application-passwords.php

Timestamp:

02/17/2025 11:22:33 AM (3 months ago)

Author:

johnbillion

Message:

Security: Switch to using bcrypt for hashing user passwords and BLAKE2b for hashing application passwords and security keys.

Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.

The following new functions have been introduced:

• wp_password_needs_rehash()
• wp_fast_hash()
• wp_verify_fast_hash()

The following new filters have been introduced:

• password_needs_rehash
• wp_hash_password_algorithm
• wp_hash_password_options

Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.

Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.

Fixes #21022, #44628

File:

• trunk/src/wp-includes/class-wp-application-passwords.php (modified) (6 diffs)

trunk/src/wp-includes/class-wp-application-passwords.php

@@ -61 +61 @@
      * @since 5.6.0
      * @since 5.7.0 Returns WP_Error if application name already exists.
+     * @since 6.8.0 The hashed password value now uses wp_fast_hash() instead of phpass.
      *
      * @param int   $user_id  User ID.
@@ -96 +97 @@
 
         $new_password    = wp_generate_password( static::PW_LENGTH, false );
-        $hashed_password = wp_hash_password( $new_password );
+        $hashed_password = self::hash_password( $new_password );
 
         $new_item = array(
@@ -125 +126 @@
          *
          * @since 5.6.0
+         * @since 6.8.0 The hashed password value now uses wp_fast_hash() instead of phpass.
          *
          * @param int    $user_id      The user ID.
@@ -250 +252 @@
      *
      * @since 5.6.0
+     * @since 6.8.0 The actual password should now be hashed using wp_fast_hash().
      *
      * @param int    $user_id User ID.
@@ -297 +300 @@
              *
              * @since 5.6.0
+             * @since 6.8.0 The password is now hashed using wp_fast_hash() instead of phpass.
+             *              Existing passwords may still be hashed using phpass.
              *
              * @param int   $user_id The user ID.
@@ -468 +473 @@
         return trim( chunk_split( $raw_password, 4, ' ' ) );
     }
+
+    /**
+     * Hashes a plaintext application password.
+     *
+     * @since 6.8.0
+     *
+     * @param string $password Plaintext password.
+     * @return string Hashed password.
+     */
+    public static function hash_password(
+        #[\SensitiveParameter]
+        string $password
+    ): string {
+        return wp_fast_hash( $password );
+    }
+
+    /**
+     * Checks a plaintext application password against a hashed password.
+     *
+     * @since 6.8.0
+     *
+     * @param string $password Plaintext password.
+     * @param string $hash     Hash of the password to check against.
+     * @return bool Whether the password matches the hashed password.
+     */
+    public static function check_password(
+        #[\SensitiveParameter]
+        string $password,
+        string $hash
+    ): bool {
+        return wp_verify_fast_hash( $password, $hash );
+    }
 }