Any plan for an Argon2 version of wp-password-bcrypt?


#1

With Argon2 added in PHP 7.2, any plan for an Argon2 version of wp-password-bcrypt?

Hail, all hail the roots team!


#2

Well I suppose we could rename it, or just make another version. But I doubt we will to be honest. Argon2 is supposed to offer some advantages over bcrypt but I’m not sure how much it matters in reality. Any of Argon2, scrypt, or bcrypt is probably good enough.

My one personal slight knock on Argon2 is it’s not as old/battle tested as those other two.

But don’t listen to me, I’m not a security engineer :cold_sweat:


#3

Then, I have to make my own…

For anyone who have a client insists on Argon2i and peppering, here is a work in progress plugin:

Be warned: It is very different from wp-password-bcrypt. Migrating to wp-password-argon-two is usually “just work”.
However, migrating out from wp-password-argon-two requires regenerating passwords for all users.


#4

For anyone interested, v0.1.0 has published !!

Read the project readme before installing.