ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Hash passwords with bcrypt instead of md5

September 23, 2018 · 16:10 · Tim Kaye
Description

WP uses md5 with key stretching to hash passwords. This is moderately secure, but using bcrypt instead would be significantly more secure. (Argon2 might be even better, but I have no experience with it, whereas I have been using bcrypt for a couple of years, so I know it works fine.)

WP hasn't done this because it supports PHP versions lower than 5.5. Since we have already agreed to drop support for versions of PHP below 5.6, we should be in a position to implement this. See http://php.net/manual/en/function.password-hash.php

Voters
+70 more
Tags
Request: Modify feature
Discussion
Dustin Snider

I can get behind this.

Pieter Bos

Big thumbs up for this one, great suggestion, make it happen!

James Nylen

Code exists for this one, thanks Tim for putting it together: https://github.com/ClassicPress/ClassicPress/pull/83

Simon Pollard

I have been using https://github.com/roots/wp-password-bcrypt for a while now - would be nice to have to depend upon that and it just be standard practice. Amazes me how this is not fixed in core. Gets my vote and then some :)

Ian

Yes!

William Patton

https://core.trac.wordpress.org/ticket/21022 Lots of discussion and suggestions on that ticket about this.

James Nylen

Thanks for the link William, it is always helpful to know about previous WP discussion about any of these issues.

Jesse

We forked the Roots plugin a while back to force Bcrypt hashing:

https://github.com/littlebizzy/force-strong-hashing

Argon2 is only supported in PHP 7.2+ and is not a good idea to implement because it's not considered a mature algorithm. When it comes to encryption, several years of history in terms of stability and security is worth more than slightly stronger hashing, so while Bcrypt is a good idea, Argon2 is not (for now).

Avrom

Yes please. MD5 is not that secure, this would be awesome to replace it with something better. Thank you!