WordPress.org

Make WordPress Core

Opened 9 years ago

Last modified 8 months ago

#21022 new enhancement

Allow bcrypt to be enabled via filter for pass hashing — at Initial Version

Reported by: th23 Owned by:
Milestone: Future Release Priority: normal
Severity: major Version: 3.4
Component: Security Keywords: 2nd-opinion has-patch needs-testing dev-feedback
Focuses: Cc:

Description

Hi,

following recent discussions on password security and how to best prevent any hackers can leverage password table they might have got I looked into the phpass used for WordPress.

While I in principle understand why WordPress uses the compatibility mode of it, I would like to see some flexibility for those who don't need the compatibility.

Thus I would propose to change in wp-includes/pluggable.php all occurances of

$wp_hasher = new PasswordHash(8, true);

to

$wp_hasher = new PasswordHash(8, apply_filters('phpass_compatibility_mode', true));

This would allow users to easily change via plugin from the "not so secure" compatibility mode (only salted MD5) of phpass to a more secure setting (bcrypt) in case no compatibility with other applications is required.

The plugin changing the encryption methog could then as easy as

function phpass_bcrypt() {

return false;

}
add_filter('phpass_compatibility_mode', 'phpass_bcrypt');

Change History (0)

Note: See TracTickets for help on using tickets.