Changeset 59828 for trunk/tests/phpunit/tests/user/passwordHash.php

Timestamp:

02/17/2025 11:22:33 AM (3 months ago)

Author:

johnbillion

Message:

Security: Switch to using bcrypt for hashing user passwords and BLAKE2b for hashing application passwords and security keys.

Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.

The following new functions have been introduced:

• wp_password_needs_rehash()
• wp_fast_hash()
• wp_verify_fast_hash()

The following new filters have been introduced:

• password_needs_rehash
• wp_hash_password_algorithm
• wp_hash_password_options

Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.

Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.

Fixes #21022, #44628

File:

• trunk/tests/phpunit/tests/user/passwordHash.php (modified) (1 diff)

trunk/tests/phpunit/tests/user/passwordHash.php

@@ -3 +3 @@
 /**
  * Tests for the PasswordHash external library.
+ *
+ * PasswordHash is no longer used to hash user passwords or security keys, but it is still used to
+ * hash post passwords and as a fallback to verify old passwords that were hashed by phpass. The
+ * library therefore needs to remain compatible with the latest versions of PHP.
  *
  * @covers PasswordHash