My site is built using Bedrock and Sage9 but this question isn’t strictly related to either. I’m hoping however to tap into the wealth of knowledge here to help me complete a security review that I’ve been asked to do by my client.
In the section entitled ‘Use a strong hash algorithm for passwords storage’ the requirements are listed as follows:
- MD5 and SHA-1 must not be used.
- SHA-256 or superior must be used.
- Each password must be hashed after having been concatenated with a per user random string (of at least 32 characters) which is called salt. It helps making brute-force and rainbow table based attacks much slower.
- The hash algorithm should be reiterated at least 50 times (PBKDF2 may be used)
I have researched the above in an attempt to check that WordPress conforms with these requirements but I’m not sure, I seem to find conflicting answers. Basically I need to answer ‘yes’ to each of these points, but I have to be sure in what I am saying. Can anyone give me some guidance/assurity that WordPress conforms (with Bedrock and Sage9)?
Many thanks in advance