id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 21022 Use bcrypt for password hashing; updating old hashes th23 "Hi, following recent discussions on password security and how to best prevent any hackers can leverage password table they might have got I looked into the phpass used for WordPress. While I in principle understand why WordPress uses the compatibility mode of it, I would like to see some flexibility for those who don't need the compatibility. Thus I would propose to change in wp-includes/pluggable.php all occurances of {{{ $wp_hasher = new PasswordHash(8, true); }}} to {{{ $wp_hasher = new PasswordHash(8, apply_filters('phpass_compatibility_mode', true)); }}} This would allow users to easily change via plugin from the ""not so secure"" compatibility mode (only salted MD5) of phpass to a more secure setting (bcrypt) in case no compatibility with other applications is required. The plugin changing the encryption methog could then as easy as {{{ function phpass_bcrypt() { return false; } add_filter('phpass_compatibility_mode', 'phpass_bcrypt'); }}}" enhancement new normal Future Release Security 3.4 major 2nd-opinion has-patch needs-testing dev-feedback