id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 21022,Use bcrypt for password hashing; updating old hashes,th23,,"Hi, following recent discussions on password security and how to best prevent any hackers can leverage password table they might have got I looked into the phpass used for WordPress. While I in principle understand why WordPress uses the compatibility mode of it, I would like to see some flexibility for those who don't need the compatibility. Thus I would propose to change in wp-includes/pluggable.php all occurances of {{{ $wp_hasher = new PasswordHash(8, true); }}} to {{{ $wp_hasher = new PasswordHash(8, apply_filters('phpass_compatibility_mode', true)); }}} This would allow users to easily change via plugin from the ""not so secure"" compatibility mode (only salted MD5) of phpass to a more secure setting (bcrypt) in case no compatibility with other applications is required. The plugin changing the encryption methog could then as easy as {{{ function phpass_bcrypt() { return false; } add_filter('phpass_compatibility_mode', 'phpass_bcrypt'); }}}",enhancement,new,normal,Future Release,Security,3.4,major,,2nd-opinion has-patch needs-testing dev-feedback,,