Changeset 59828 for trunk/tests/phpunit/tests/auth.php

Timestamp:

02/17/2025 11:22:33 AM (3 months ago)

Author:

johnbillion

Message:

Security: Switch to using bcrypt for hashing user passwords and BLAKE2b for hashing application passwords and security keys.

Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.

The following new functions have been introduced:

• wp_password_needs_rehash()
• wp_fast_hash()
• wp_verify_fast_hash()

The following new filters have been introduced:

• password_needs_rehash
• wp_hash_password_algorithm
• wp_hash_password_options

Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.

Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.

Fixes #21022, #44628

File:

• trunk/tests/phpunit/tests/auth.php (modified) (18 diffs)

trunk/tests/phpunit/tests/auth.php

@@ -11 +11 @@
     const USER_PASS  = 'password';
 
+    /**
+     * @var WP_User
+     */
     protected $user;
 
@@ -17 +20 @@
      */
     protected static $_user;
+
+    /**
+     * @var int
+     */
     protected static $user_id;
+
+    /**
+     * @var PasswordHash
+     */
     protected static $wp_hasher;
+
+    protected static $bcrypt_length_limit = 72;
+
+    protected static $phpass_length_limit = 4096;
+
+    protected static $password_length_limit = 4096;
 
     /**
@@ -90 +107 @@
         $cookie = wp_generate_auth_cookie( self::$user_id, time() + 3600, 'foo' );
         $this->assertFalse( wp_validate_auth_cookie( $cookie, 'bar' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_auth_cookie_generated_with_phpass_hash_remains_valid() {
+        self::set_user_password_with_phpass( 'password', self::$user_id );
+
+        $auth_cookie = wp_generate_auth_cookie( self::$user_id, time() + 3600, 'auth' );
+
+        $this->assertSame( self::$user_id, wp_validate_auth_cookie( $auth_cookie, 'auth' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_auth_cookie_generated_with_plain_bcrypt_hash_remains_valid() {
+        self::set_user_password_with_plain_bcrypt( 'password', self::$user_id );
+
+        $auth_cookie = wp_generate_auth_cookie( self::$user_id, time() + 3600, 'auth' );
+
+        $this->assertSame( self::$user_id, wp_validate_auth_cookie( $auth_cookie, 'auth' ) );
     }
 
@@ -107 +146 @@
             $authed_user = wp_authenticate( $this->user->user_login, $password_to_test );
 
+            $this->assertNotWPError( $authed_user );
             $this->assertInstanceOf( 'WP_User', $authed_user );
             $this->assertSame( $this->user->ID, $authed_user->ID );
@@ -158 +198 @@
         $password = "pass with vertical tab o_O\x0B";
         $this->assertTrue( wp_check_password( 'pass with vertical tab o_O', wp_hash_password( $password ) ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_phpass_hash() {
+        $password = 'password';
+        $hash     = self::$wp_hasher->HashPassword( $password );
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * Ensure wp_check_password() remains compatible with an increase to the default bcrypt cost.
+     *
+     * The test verifies this by reducing the cost used to generate the hash, therefore mimicing a hash
+     * which was generated prior to the default cost being increased.
+     *
+     * Notably the bcrypt cost was increased in PHP 8.4: https://wiki.php.net/rfc/bcrypt_cost_2023 .
+     *
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_hash_with_increased_bcrypt_cost() {
+        $password = 'password';
+
+        // Reducing the cost mimics an increase to the default cost.
+        add_filter( 'wp_hash_password_options', array( $this, 'reduce_hash_cost' ) );
+        $hash = wp_hash_password( $password, PASSWORD_BCRYPT );
+        remove_filter( 'wp_hash_password_options', array( $this, 'reduce_hash_cost' ) );
+
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
+    }
+
+    /**
+     * Ensure wp_check_password() remains compatible with a reduction of the default bcrypt cost.
+     *
+     * The test verifies this by increasing the cost used to generate the hash, therefore mimicing a hash
+     * which was generated prior to the default cost being reduced.
+     *
+     * A reduction of the cost is unlikely to occur but is fully supported.
+     *
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_hash_with_reduced_bcrypt_cost() {
+        $password = 'password';
+
+        // Increasing the cost mimics a reduction of the default cost.
+        add_filter( 'wp_hash_password_options', array( $this, 'increase_hash_cost' ) );
+        $hash = wp_hash_password( $password, PASSWORD_BCRYPT );
+        remove_filter( 'wp_hash_password_options', array( $this, 'increase_hash_cost' ) );
+
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_wp_hash_with_default_bcrypt_cost() {
+        $password = 'password';
+
+        $hash = wp_hash_password( $password, PASSWORD_BCRYPT );
+
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+        $this->assertFalse( wp_password_needs_rehash( $hash ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_plain_bcrypt_hash_with_default_bcrypt_cost() {
+        $password = 'password';
+
+        $hash = password_hash( $password, PASSWORD_BCRYPT );
+
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
+    }
+
+    /**
+     * Ensure wp_check_password() is compatible with Argon2i hashes.
+     *
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_argon2i_hash() {
+        if ( ! defined( 'PASSWORD_ARGON2I' ) ) {
+            $this->fail( 'Argon2i is not supported.' );
+        }
+
+        $password = 'password';
+        $hash     = password_hash( trim( $password ), PASSWORD_ARGON2I );
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * Ensure wp_check_password() is compatible with Argon2id hashes.
+     *
+     * @requires PHP >= 7.3
+     *
+     * @ticket 21022
+     */
+    public function test_wp_check_password_supports_argon2id_hash() {
+        if ( ! defined( 'PASSWORD_ARGON2ID' ) ) {
+            $this->fail( 'Argon2id is not supported.' );
+        }
+
+        $password = 'password';
+        $hash     = password_hash( trim( $password ), PASSWORD_ARGON2ID );
+        $this->assertTrue( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_wp_check_password_does_not_support_md5_hashes() {
+        $password = 'password';
+        $hash     = md5( $password );
+        $this->assertFalse( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_wp_check_password_does_not_support_plain_text() {
+        $password = 'password';
+        $hash     = $password;
+        $this->assertFalse( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * @ticket 21022
+     *
+     * @dataProvider data_empty_values
+     * @param mixed $value
+     */
+    public function test_wp_check_password_does_not_support_empty_hash( $value ) {
+        $password = 'password';
+        $hash     = $value;
+        $this->assertFalse( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    /**
+     * @ticket 21022
+     *
+     * @dataProvider data_empty_values
+     * @param mixed $value
+     */
+    public function test_wp_check_password_does_not_support_empty_password( $value ) {
+        $password = $value;
+        $hash     = $value;
+        $this->assertFalse( wp_check_password( $password, $hash ) );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+    }
+
+    public function data_empty_values() {
+        return array(
+            // Integer zero:
+            array( 0 ),
+            // String zero:
+            array( '0' ),
+            // Zero-length string:
+            array( '' ),
+            // Null byte character:
+            array( "\0" ),
+            // Asterisk values:
+            array( '*' ),
+            array( '*0' ),
+            array( '*1' ),
+        );
     }
 
@@ -236 +455 @@
     }
 
-    public function test_password_length_limit() {
-        $limit = str_repeat( 'a', 4096 );
-
+    /**
+     * @ticket 21022
+     */
+    public function test_password_is_hashed_with_bcrypt() {
+        $password = 'password';
+
+        // Set the user password.
+        wp_set_password( $password, self::$user_id );
+
+        // Ensure the password is hashed with bcrypt.
+        $this->assertStringStartsWith( '$wp$2y$', get_userdata( self::$user_id )->user_pass );
+
+        // Authenticate.
+        $user = wp_authenticate( $this->user->user_login, $password );
+
+        // Verify correct password.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_invalid_password_at_bcrypt_length_limit_is_rejected() {
+        $limit = str_repeat( 'a', self::$bcrypt_length_limit );
+
+        // Set the user password to the bcrypt limit.
         wp_set_password( $limit, self::$user_id );
-        // phpass hashed password.
-        $this->assertStringStartsWith( '$P$', $this->user->data->user_pass );
 
         $user = wp_authenticate( $this->user->user_login, 'aaaaaaaa' );
         // Wrong password.
-        $this->assertInstanceOf( 'WP_Error', $user );
-
+        $this->assertWPError( $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_invalid_password_beyond_bcrypt_length_limit_is_rejected() {
+        $limit = str_repeat( 'a', self::$bcrypt_length_limit + 1 );
+
+        // Set the user password beyond the bcrypt limit.
+        wp_set_password( $limit, self::$user_id );
+
+        $user = wp_authenticate( $this->user->user_login, 'aaaaaaaa' );
+        // Wrong password.
+        $this->assertWPError( $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_valid_password_at_bcrypt_length_limit_is_accepted() {
+        $limit = str_repeat( 'a', self::$bcrypt_length_limit );
+
+        // Set the user password to the bcrypt limit.
+        wp_set_password( $limit, self::$user_id );
+
+        // Authenticate.
         $user = wp_authenticate( $this->user->user_login, $limit );
+
+        // Correct password.
+        $this->assertNotWPError( $user );
         $this->assertInstanceOf( 'WP_User', $user );
         $this->assertSame( self::$user_id, $user->ID );
-
-        // One char too many.
-        $user = wp_authenticate( $this->user->user_login, $limit . 'a' );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_valid_password_beyond_bcrypt_length_limit_is_accepted() {
+        $limit = str_repeat( 'a', self::$bcrypt_length_limit + 1 );
+
+        // Set the user password beyond the bcrypt limit.
+        wp_set_password( $limit, self::$user_id );
+
+        // Authenticate.
+        $user = wp_authenticate( $this->user->user_login, $limit );
+
+        // Correct password depite its length.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    /**
+     * A password beyond 72 bytes will be truncated by bcrypt by default and still be accepted.
+     *
+     * This ensures that a truncated password is not accepted by WordPress.
+     *
+     * @ticket 21022
+     */
+    public function test_long_truncated_password_is_rejected() {
+        $at_limit     = str_repeat( 'a', self::$bcrypt_length_limit );
+        $beyond_limit = str_repeat( 'a', self::$bcrypt_length_limit + 1 );
+
+        // Set the user password beyond the bcrypt limit.
+        wp_set_password( $beyond_limit, self::$user_id );
+
+        // Authenticate using a truncated password.
+        $user = wp_authenticate( $this->user->user_login, $at_limit );
+
+        // Incorrect password.
+        $this->assertWPError( $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_setting_password_beyond_bcrypt_length_limit_is_rejected() {
+        $beyond_limit = str_repeat( 'a', self::$password_length_limit + 1 );
+
+        // Set the user password beyond the limit.
+        wp_set_password( $beyond_limit, self::$user_id );
+
+        // Password broken by setting it to be too long.
+        $user = get_user_by( 'id', self::$user_id );
+        $this->assertSame( '*', $user->data->user_pass );
+
+        // Password is not accepted.
+        $user = wp_authenticate( $this->user->user_login, $beyond_limit );
+        $this->assertInstanceOf( 'WP_Error', $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+
+        // Placeholder is not accepted.
+        $user = wp_authenticate( $this->user->user_login, '*' );
+        $this->assertInstanceOf( 'WP_Error', $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    /**
+     * @see https://core.trac.wordpress.org/changeset/30466
+     */
+    public function test_invalid_password_at_phpass_length_limit_is_rejected() {
+        $limit = str_repeat( 'a', self::$phpass_length_limit );
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( $limit, self::$user_id );
+
+        // Authenticate.
+        $user = wp_authenticate( $this->user->user_login, 'aaaaaaaa' );
+
         // Wrong password.
         $this->assertInstanceOf( 'WP_Error', $user );
-
-        wp_set_password( $limit . 'a', self::$user_id );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    public function test_valid_password_at_phpass_length_limit_is_accepted() {
+        $limit = str_repeat( 'a', self::$phpass_length_limit );
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( $limit, self::$user_id );
+
+        // Authenticate.
+        $user = wp_authenticate( $this->user->user_login, $limit );
+
+        // Correct password.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    public function test_too_long_password_at_phpass_length_limit_is_rejected() {
+        $limit = str_repeat( 'a', self::$phpass_length_limit );
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( $limit, self::$user_id );
+
+        // Authenticate with a password that is one character too long.
+        $user = wp_authenticate( $this->user->user_login, $limit . 'a' );
+
+        // Wrong password.
+        $this->assertInstanceOf( 'WP_Error', $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    public function test_too_long_password_beyond_phpass_length_limit_is_rejected() {
+        // One char too many.
+        $too_long = str_repeat( 'a', self::$phpass_length_limit + 1 );
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( $too_long, self::$user_id );
+
         $user = get_user_by( 'id', self::$user_id );
         // Password broken by setting it to be too long.
         $this->assertSame( '*', $user->data->user_pass );
 
+        // Password is not accepted.
         $user = wp_authenticate( $this->user->user_login, '*' );
         $this->assertInstanceOf( 'WP_Error', $user );
-
-        $user = wp_authenticate( $this->user->user_login, '*0' );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    /**
+     * @dataProvider data_empty_values
+     * @param mixed $value
+     */
+    public function test_empty_password_is_rejected_by_bcrypt( $value ) {
+        // Set the user password.
+        wp_set_password( 'password', self::$user_id );
+
+        $user = wp_authenticate( $this->user->user_login, $value );
         $this->assertInstanceOf( 'WP_Error', $user );
-
-        $user = wp_authenticate( $this->user->user_login, '*1' );
+    }
+
+    /**
+     * @dataProvider data_empty_values
+     * @param mixed $value
+     */
+    public function test_empty_password_is_rejected_by_phpass( $value ) {
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( 'password', self::$user_id );
+
+        $user = wp_authenticate( $this->user->user_login, $value );
         $this->assertInstanceOf( 'WP_Error', $user );
+    }
+
+    public function test_incorrect_password_is_rejected_by_phpass() {
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( 'password', self::$user_id );
 
         $user = wp_authenticate( $this->user->user_login, 'aaaaaaaa' );
+
         // Wrong password.
         $this->assertInstanceOf( 'WP_Error', $user );
-
-        $user = wp_authenticate( $this->user->user_login, $limit );
-        // Wrong password.
-        $this->assertInstanceOf( 'WP_Error', $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
+    }
+
+    public function test_too_long_password_is_rejected_by_phpass() {
+        $limit = str_repeat( 'a', self::$phpass_length_limit );
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( 'password', self::$user_id );
 
         $user = wp_authenticate( $this->user->user_login, $limit . 'a' );
+
         // Password broken by setting it to be too long.
         $this->assertInstanceOf( 'WP_Error', $user );
+        $this->assertSame( 'incorrect_password', $user->get_error_code() );
     }
 
@@ -307 +723 @@
             $wpdb->users,
             array(
-                'user_activation_key' => strtotime( '-1 hour' ) . ':' . self::$wp_hasher->HashPassword( $key ),
+                'user_activation_key' => strtotime( '-1 hour' ) . ':' . wp_fast_hash( $key ),
             ),
             array(
@@ -345 +761 @@
             $wpdb->users,
             array(
-                'user_activation_key' => strtotime( '-48 hours' ) . ':' . self::$wp_hasher->HashPassword( $key ),
+                'user_activation_key' => strtotime( '-48 hours' ) . ':' . wp_fast_hash( $key ),
             ),
             array(
@@ -356 +772 @@
         $check = check_password_reset_key( $key, $this->user->user_login );
         $this->assertInstanceOf( 'WP_Error', $check );
+        $this->assertSame( 'expired_key', $check->get_error_code() );
     }
 
@@ -394 +811 @@
         $check = check_password_reset_key( $key, $this->user->user_login );
         $this->assertInstanceOf( 'WP_Error', $check );
+        $this->assertSame( 'expired_key', $check->get_error_code() );
 
         // An empty key with a legacy user_activation_key should be rejected.
         $check = check_password_reset_key( '', $this->user->user_login );
         $this->assertInstanceOf( 'WP_Error', $check );
+        $this->assertSame( 'invalid_key', $check->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_phpass_user_activation_key_is_allowed() {
+        global $wpdb;
+
+        // A legacy user_activation_key is one hashed using phpass between WordPress 4.3 and 6.8.0.
+
+        $key = wp_generate_password( 20, false );
+        $wpdb->update(
+            $wpdb->users,
+            array(
+                'user_activation_key' => strtotime( '-1 hour' ) . ':' . self::$wp_hasher->HashPassword( $key ),
+            ),
+            array(
+                'ID' => $this->user->ID,
+            )
+        );
+        clean_user_cache( $this->user );
+
+        // A legacy phpass user_activation_key should remain valid.
+        $check = check_password_reset_key( $key, $this->user->user_login );
+        $this->assertNotWPError( $check );
+        $this->assertInstanceOf( 'WP_User', $check );
+        $this->assertSame( $this->user->ID, $check->ID );
+
+        // An empty key with a legacy user_activation_key should be rejected.
+        $check = check_password_reset_key( '', $this->user->user_login );
+        $this->assertWPError( $check );
+        $this->assertSame( 'invalid_key', $check->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_expired_phpass_user_activation_key_is_rejected() {
+        global $wpdb;
+
+        // A legacy user_activation_key is one hashed using phpass between WordPress 4.3 and 6.8.0.
+
+        $key = wp_generate_password( 20, false );
+        $wpdb->update(
+            $wpdb->users,
+            array(
+                'user_activation_key' => strtotime( '-48 hours' ) . ':' . self::$wp_hasher->HashPassword( $key ),
+            ),
+            array(
+                'ID' => $this->user->ID,
+            )
+        );
+        clean_user_cache( $this->user );
+
+        // A legacy phpass user_activation_key should still be subject to an expiry check.
+        $check = check_password_reset_key( $key, $this->user->user_login );
+        $this->assertWPError( $check );
+        $this->assertSame( 'expired_key', $check->get_error_code() );
+
+        // An empty key with a legacy user_activation_key should be rejected.
+        $check = check_password_reset_key( '', $this->user->user_login );
+        $this->assertWPError( $check );
+        $this->assertSame( 'invalid_key', $check->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_user_request_key_handling() {
+        $request_id = wp_create_user_request( 'test@example.com', 'remove_personal_data' );
+        $key        = wp_generate_user_request_key( $request_id );
+
+        // A valid key should be accepted.
+        $check = wp_validate_user_request_key( $request_id, $key );
+        $this->assertNotWPError( $check );
+        $this->assertTrue( $check );
+
+        // An invalid key should rejected.
+        $check = wp_validate_user_request_key( $request_id, 'invalid' );
+        $this->assertWPError( $check );
+        $this->assertSame( 'invalid_key', $check->get_error_code() );
+
+        // An empty key should be rejected.
+        $check = wp_validate_user_request_key( $request_id, '' );
+        $this->assertWPError( $check );
+        $this->assertSame( 'missing_key', $check->get_error_code() );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_phpass_user_request_key_is_allowed() {
+        // A legacy user request key is one hashed using phpass between WordPress 4.3 and 6.8.0.
+
+        $request_id = wp_create_user_request( 'test@example.com', 'remove_personal_data' );
+        $key        = wp_generate_password( 20, false );
+
+        wp_update_post(
+            array(
+                'ID'            => $request_id,
+                'post_password' => self::$wp_hasher->HashPassword( $key ),
+            )
+        );
+
+        // A legacy phpass key should remain valid.
+        $check = wp_validate_user_request_key( $request_id, $key );
+        $this->assertNotWPError( $check );
+        $this->assertTrue( $check );
+
+        // An empty key with a legacy key should be rejected.
+        $check = wp_validate_user_request_key( $request_id, '' );
+        $this->assertWPError( $check );
+        $this->assertSame( 'missing_key', $check->get_error_code() );
+    }
+
+    /**
+     * The `wp_password_needs_rehash()` function is just a wrapper around `password_needs_rehash()`, but this ensures
+     * that it works as expected.
+     *
+     * Notably the bcrypt cost was increased in PHP 8.4: https://wiki.php.net/rfc/bcrypt_cost_2023 .
+     *
+     * @ticket 21022
+     */
+    public function check_password_needs_rehashing() {
+        $password = 'password';
+
+        // Current password hashing algorithm.
+        $hash = wp_hash_password( $password );
+        $this->assertFalse( wp_password_needs_rehash( $hash ) );
+
+        // A future upgrade from a previously lower cost.
+        $default = self::get_default_bcrypt_cost();
+        $opts    = array(
+            // Reducing the cost mimics an increase in the default cost.
+            'cost' => $default - 1,
+        );
+        $hash    = password_hash( $password, PASSWORD_BCRYPT, $opts );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
+
+        // Previous phpass algorithm.
+        $hash = self::$wp_hasher->HashPassword( $password );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
+
+        // o_O md5.
+        $hash = md5( $password );
+        $this->assertTrue( wp_password_needs_rehash( $hash ) );
     }
 
@@ -456 +1021 @@
         $this->assertEmpty( $user->user_activation_key, 'The `user_activation_key` was not empty on the user object returned by `wp_signon()` function.' );
         $this->assertEmpty( $activation_key_from_database, 'The `user_activation_key` was not empty in the database.' );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_phpass_application_password_is_accepted() {
+        add_filter( 'application_password_is_api_request', '__return_true' );
+        add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+        $password = 'password';
+
+        // Set an application password with the old phpass algorithm.
+        $uuid = self::set_application_password_with_phpass( $password, self::$user_id );
+
+        // Authenticate.
+        $user = wp_authenticate_application_password( null, self::USER_LOGIN, $password );
+
+        // Verify that the phpass hash for the application password was valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    /**
+     * @dataProvider data_usernames
+     *
+     * @ticket 21022
+     */
+    public function test_phpass_password_is_rehashed_after_successful_user_password_authentication( $username_or_email ) {
+        $password = 'password';
+
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( $password, self::$user_id );
+
+        // Verify that the password needs rehashing.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertTrue( wp_password_needs_rehash( $hash, self::$user_id ) );
+
+        // Authenticate.
+        $user = wp_authenticate( $username_or_email, $password );
+
+        // Verify that the phpass password hash was valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+
+        // Verify that the password no longer needs rehashing.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertFalse( wp_password_needs_rehash( $hash, self::$user_id ) );
+
+        // Authenticate a second time to ensure the new hash is valid.
+        $user = wp_authenticate( $username_or_email, $password );
+
+        // Verify that the bcrypt password hash is valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    /**
+     * @dataProvider data_usernames
+     *
+     * @ticket 21022
+     */
+    public function test_bcrypt_password_is_rehashed_with_new_cost_after_successful_user_password_authentication( $username_or_email ) {
+        $password = 'password';
+
+        // Hash the user password with a lower cost than default to mimic a cost upgrade.
+        add_filter( 'wp_hash_password_options', array( $this, 'reduce_hash_cost' ) );
+        wp_set_password( $password, self::$user_id );
+        remove_filter( 'wp_hash_password_options', array( $this, 'reduce_hash_cost' ) );
+
+        // Verify that the password needs rehashing.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertTrue( wp_password_needs_rehash( $hash, self::$user_id ) );
+
+        // Authenticate.
+        $user = wp_authenticate( $username_or_email, $password );
+
+        // Verify that the reduced cost password hash was valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+
+        // Verify that the password has been rehashed with the increased cost.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertFalse( wp_password_needs_rehash( $hash, self::$user_id ) );
+        $this->assertSame( self::get_default_bcrypt_cost(), password_get_info( substr( $hash, 3 ) )['options']['cost'] );
+
+        // Authenticate a second time to ensure the new hash is valid.
+        $user = wp_authenticate( $username_or_email, $password );
+
+        // Verify that the password hash is valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    public function reduce_hash_cost( array $options ): array {
+        $options['cost'] = self::get_default_bcrypt_cost() - 1;
+        return $options;
+    }
+
+    public function increase_hash_cost( array $options ): array {
+        $options['cost'] = self::get_default_bcrypt_cost() + 1;
+        return $options;
+    }
+
+    public function data_usernames() {
+        return array(
+            array(
+                self::USER_LOGIN,
+            ),
+            array(
+                self::USER_EMAIL,
+            ),
+        );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_password_rehashing_requirement_can_be_filtered() {
+        $filter_count_before = did_filter( 'password_needs_rehash' );
+
+        wp_password_needs_rehash( '$hash' );
+
+        $this->assertSame( $filter_count_before + 1, did_filter( 'password_needs_rehash' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_password_hashing_algorithm_can_be_filtered() {
+        $password = 'password';
+
+        $filter_count_before = did_filter( 'wp_hash_password_algorithm' );
+
+        $wp_hash = wp_hash_password( $password );
+
+        wp_check_password( $password, $wp_hash );
+        wp_password_needs_rehash( $wp_hash );
+
+        $this->assertSame( $filter_count_before + 2, did_filter( 'wp_hash_password_algorithm' ) );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_password_hashing_options_can_be_filtered() {
+        $password = 'password';
+
+        add_filter(
+            'wp_hash_password_options',
+            static function ( $options ) {
+                $options['cost'] = 5;
+                return $options;
+            }
+        );
+
+        $filter_count_before = did_filter( 'wp_hash_password_options' );
+
+        $wp_hash      = wp_hash_password( $password );
+        $valid        = wp_check_password( $password, $wp_hash );
+        $needs_rehash = wp_password_needs_rehash( $wp_hash );
+        $info         = password_get_info( substr( $wp_hash, 3 ) );
+        $cost         = $info['options']['cost'];
+
+        $this->assertTrue( $valid );
+        $this->assertFalse( $needs_rehash );
+        $this->assertSame( $filter_count_before + 2, did_filter( 'wp_hash_password_options' ) );
+        $this->assertSame( 5, $cost );
+    }
+
+    /**
+     * @ticket 21022
+     */
+    public function test_password_checks_support_wp_hasher_fallback() {
+        global $wp_hasher;
+
+        $filter_count_before = did_filter( 'wp_hash_password_options' );
+
+        $password = 'password';
+
+        // Ensure the global $wp_hasher is set.
+        $wp_hasher = new WP_Fake_Hasher();
+
+        $hasher_hash  = $wp_hasher->HashPassword( $password );
+        $wp_hash      = wp_hash_password( $password );
+        $valid        = wp_check_password( $password, $wp_hash );
+        $needs_rehash = wp_password_needs_rehash( $wp_hash );
+
+        // Reset the global $wp_hasher.
+        $wp_hasher = null;
+
+        $this->assertSame( $hasher_hash, $wp_hash );
+        $this->assertTrue( $valid );
+        $this->assertFalse( $needs_rehash );
+        $this->assertSame( 1, did_filter( 'check_password' ) );
+        $this->assertSame( $filter_count_before, did_filter( 'wp_hash_password_options' ) );
     }
 
@@ -704 +1469 @@
      */
     public function test_authenticate_application_password_respects_existing_user() {
-        $this->assertSame( self::$_user, wp_authenticate_application_password( self::$_user, self::$_user->user_login, 'password' ) );
+        $user = wp_authenticate_application_password( self::$_user, self::$_user->user_login, 'password' );
+        $this->assertNotWPError( $user );
+        $this->assertSame( self::$_user, $user );
     }
 
@@ -713 +1480 @@
         add_filter( 'application_password_is_api_request', '__return_false' );
 
-        $this->assertNull( wp_authenticate_application_password( null, self::$_user->user_login, 'password' ) );
+        $user = wp_authenticate_application_password( null, self::$_user->user_login, 'password' );
+        $this->assertNotWPError( $user );
+        $this->assertNull( $user );
     }
 
@@ -806 +1575 @@
 
         $user = wp_authenticate_application_password( null, self::$_user->user_login, $password );
+        $this->assertNotWPError( $user );
         $this->assertInstanceOf( WP_User::class, $user );
         $this->assertSame( self::$user_id, $user->ID );
@@ -820 +1590 @@
 
         $user = wp_authenticate_application_password( null, self::$_user->user_email, $password );
+        $this->assertNotWPError( $user );
         $this->assertInstanceOf( WP_User::class, $user );
         $this->assertSame( self::$user_id, $user->ID );
@@ -834 +1605 @@
 
         $user = wp_authenticate_application_password( null, self::$_user->user_email, WP_Application_Passwords::chunk_password( $password ) );
+        $this->assertNotWPError( $user );
         $this->assertInstanceOf( WP_User::class, $user );
         $this->assertSame( self::$user_id, $user->ID );
@@ -845 +1617 @@
 
         $authenticated = wp_authenticate_application_password( null, 'idonotexist', 'password' );
+        $this->assertNotWPError( $authenticated );
         $this->assertNull( $authenticated );
     }
@@ -968 +1741 @@
         $this->assertSame( $_SERVER['PHP_AUTH_PW'], 'pass:word' );
     }
+
+    /**
+     * Test the tests
+     *
+     * @covers Tests_Auth::set_user_password_with_phpass
+     *
+     * @ticket 21022
+     */
+    public function test_set_user_password_with_phpass() {
+        // Set the user password with the old phpass algorithm.
+        self::set_user_password_with_phpass( 'password', self::$user_id );
+
+        // Ensure the password is hashed with phpass.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertStringStartsWith( '$P$', $hash );
+    }
+
+    private static function set_user_password_with_phpass( string $password, int $user_id ) {
+        global $wpdb;
+
+        $wpdb->update(
+            $wpdb->users,
+            array(
+                'user_pass' => self::$wp_hasher->HashPassword( $password ),
+            ),
+            array(
+                'ID' => $user_id,
+            )
+        );
+        clean_user_cache( $user_id );
+    }
+
+
+    /**
+     * Test the tests
+     *
+     * @covers Tests_Auth::set_user_password_with_plain_bcrypt
+     *
+     * @ticket 21022
+     */
+    public function test_set_user_password_with_plain_bcrypt() {
+        // Set the user password with plain bcrypt.
+        self::set_user_password_with_plain_bcrypt( 'password', self::$user_id );
+
+        // Ensure the password is hashed with bcrypt.
+        $hash = get_userdata( self::$user_id )->user_pass;
+        $this->assertStringStartsWith( '$2y$', $hash );
+    }
+
+    private static function set_user_password_with_plain_bcrypt( string $password, int $user_id ) {
+        global $wpdb;
+
+        $wpdb->update(
+            $wpdb->users,
+            array(
+                'user_pass' => password_hash( 'password', PASSWORD_BCRYPT ),
+            ),
+            array(
+                'ID' => $user_id,
+            )
+        );
+        clean_user_cache( $user_id );
+    }
+
+    /**
+     * Test the tests
+     *
+     * @covers Tests_Auth::set_application_password_with_phpass
+     *
+     * @ticket 21022
+     */
+    public function test_set_application_password_with_phpass() {
+        // Set an application password with the old phpass algorithm.
+        $uuid = self::set_application_password_with_phpass( 'password', self::$user_id );
+
+        // Ensure the password is hashed with phpass.
+        $hash = WP_Application_Passwords::get_user_application_password( self::$user_id, $uuid )['password'];
+        $this->assertStringStartsWith( '$P$', $hash );
+    }
+
+    private static function set_application_password_with_phpass( string $password, int $user_id ) {
+        $uuid = wp_generate_uuid4();
+        $item = array(
+            'uuid'      => $uuid,
+            'app_id'    => '',
+            'name'      => 'Test',
+            'password'  => self::$wp_hasher->HashPassword( $password ),
+            'created'   => time(),
+            'last_used' => null,
+            'last_ip'   => null,
+        );
+
+        $saved = update_user_meta(
+            $user_id,
+            WP_Application_Passwords::USERMETA_KEY_APPLICATION_PASSWORDS,
+            array( $item )
+        );
+
+        if ( ! $saved ) {
+            throw new Exception( 'Could not save application password.' );
+        }
+
+        update_network_option( get_main_network_id(), WP_Application_Passwords::OPTION_KEY_IN_USE, true );
+
+        return $uuid;
+    }
+
+    private static function get_default_bcrypt_cost(): int {
+        $hash = password_hash( 'password', PASSWORD_BCRYPT );
+        $info = password_get_info( $hash );
+
+        return $info['options']['cost'];
+    }
 }