WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #21022, comment 123


Ignore:
Timestamp:
09/18/2019 07:59:52 AM (23 months ago)
Author:
mbijon
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21022, comment 123

    initial v1  
    55But if anyone wants to weigh-in on PM stuff instead of crypto ... How about...?
    66
    7 1. Add Paragon's bcrypt-sha-base64 solution and remove `passwordHash`
     71. Add Paragon's bcrypt-sha-base64 solution and KEEP `passwordHash`
    882. Implement hash-type detection for `$P$B`, `$2y$` and `$argon2i$` (maybe `$2a$`?)
    993. For the upgrade, add an `is_legacy_password = true` to `usermeta.meta_key` for every user with a `$P$B` hash.
     
    1212  * Batch update every `$P$B` hash into a `$2y$` format.
    1313  * Helps plugins like "wp-password-bcrypt" because the hash detection ensures NOT expiring existing `$2y$` or better hashes.
    14 5. Hook the login Action to check for `is_legacy_password == true` and prompt the user to change their password (including UX with a "why"). On new password creation, set `is_legacy_password = false`
     145. Hook the login Action to check for `is_legacy_password == true` and if so (1) Hash their submitted password with `passwordHash` and `password_hash()` to login, (2) Prompt the user to change their password (including UX with a "why"). On new password creation, set `is_legacy_password = false`
     15
     16(edited to note two-step hashing for 1st login when `is_legacy_password == true`)