Changes between Initial Version and Version 1 of Ticket #21022, comment 123
- Timestamp:
- 09/18/2019 07:59:52 AM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #21022, comment 123
initial v1 5 5 But if anyone wants to weigh-in on PM stuff instead of crypto ... How about...? 6 6 7 1. Add Paragon's bcrypt-sha-base64 solution and remove`passwordHash`7 1. Add Paragon's bcrypt-sha-base64 solution and KEEP `passwordHash` 8 8 2. Implement hash-type detection for `$P$B`, `$2y$` and `$argon2i$` (maybe `$2a$`?) 9 9 3. For the upgrade, add an `is_legacy_password = true` to `usermeta.meta_key` for every user with a `$P$B` hash. … … 12 12 * Batch update every `$P$B` hash into a `$2y$` format. 13 13 * Helps plugins like "wp-password-bcrypt" because the hash detection ensures NOT expiring existing `$2y$` or better hashes. 14 5. Hook the login Action to check for `is_legacy_password == true` and prompt the user to change their password (including UX with a "why"). On new password creation, set `is_legacy_password = false` 14 5. Hook the login Action to check for `is_legacy_password == true` and if so (1) Hash their submitted password with `passwordHash` and `password_hash()` to login, (2) Prompt the user to change their password (including UX with a "why"). On new password creation, set `is_legacy_password = false` 15 16 (edited to note two-step hashing for 1st login when `is_legacy_password == true`)