Roots Discourse

Improving WordPress Passwords Security


#21

Yikes! I wonder when they added that. I have a couple of plugins that have PHP >= 5.4 syntax, I guess maybe they’re grandfathered in?

Yet another reason WP needs to take a strong stance on forcing PHP upgrades.


#22

I’ve been using the plugin wp-bcrypt on a few sites for a while now, and one thing I noticed is that bcrypt isn’t fully supported in WP < 4.4. Whilst login worked, the password reset feature didn’t.

Although I haven’t tried it with the wp-password-bcrypt plugin, I would imagine it’ll suffer the same problems. These were caused by a field length limit in the WordPress database schema.

For more info see issue 33904 on the WordPress bug tracker. There’s also an explanation of the behaviour here.

Considering this puts a dependency on having WordPress 4.4 installed, you might want to list it as one of the requirements of wp-password-bcrypt in the plugin’s README.


#23

Thanks @ollietreend. I had no idea about this. I’ll update the README today and add this.


#24

Cool thing… I really do not understand why WP is still using MD5!

Instead of wp-password-bcrypt I suggest that it be renamed to wp-native-php-password just my two cents on this one :wink: