Any plan for an Argon2 version of wp-password-bcrypt?

TangRufus · February 4, 2018, 7:39pm

With Argon2 added in PHP 7.2, any plan for an Argon2 version of wp-password-bcrypt?

Hail, all hail the roots team!

swalkinshaw · February 9, 2018, 1:58am

Well I suppose we could rename it, or just make another version. But I doubt we will to be honest. Argon2 is supposed to offer some advantages over bcrypt but I’m not sure how much it matters in reality. Any of Argon2, scrypt, or bcrypt is probably good enough.

My one personal slight knock on Argon2 is it’s not as old/battle tested as those other two.

But don’t listen to me, I’m not a security engineer

TangRufus · February 11, 2018, 6:36am

Then, I have to make my own…

For anyone who have a client insists on Argon2i and peppering, here is a work in progress plugin:

Be warned: It is very different from wp-password-bcrypt. Migrating to wp-password-argon-two is usually “just work”.
However, migrating out from wp-password-argon-two requires regenerating passwords for all users.

TangRufus · February 27, 2018, 5:35pm

For anyone interested, v0.1.0 has published !!

Read the project readme before installing.