WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #21022, comment 79


Ignore:
Timestamp:
09/27/2016 06:36:37 PM (5 years ago)
Author:
tomdxw
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21022, comment 79

    v1 v2  
    442. if PHP version >= 5.3.7, use the PHP password_hash()/password_verify() functions (for lower versions of PHP, keep using PasswordHash class from phpass)
    553. when a user logs in, if the site is using bcrypt and their password is hashed using portable hashes, update their hash to a bcrypt hash
    6 4. when a user logs in, if the site is *not* using bcrypt and their password is hashed using bcrypt (i.e. when PHP is downgraded), automatically send a password reset and show a message saying "Sorry, something has gone wrong and you must reset your password. A link has been sent to the email address you registered with. <a href="https://codex.wordpress.org/Foobar">More information</a>."
     64. when a user logs in, if the site is *not* using bcrypt and their password is hashed using bcrypt (i.e. when PHP is downgraded), show a message saying "Sorry, something has gone wrong and you must reset your password. <a href="https://codex.wordpress.org/Foobar">More information</a>."
    77
    88Does this look correct? Have I missed anything? If somebody produced a patch containing the above changes, could we get it committed?
     9
     10Edit: Removed comment about automatically sending a password reset because the code that sends a password reset lives in wp-login.php so it's not easily accessible from other places.