WordPress.org

Ready to get started?Download WordPress

Forums

Phpassnot using bcrypt for password encryption (2 posts)

  1. heisec
    Member
    Posted 3 years ago #

    Hi, i've just noticed, that stored passwords are only secured with the unsafer MD5/Salt/Rounds configuration on a Ubuntu system. The entry in the database is $P$ByIsE1Zz59c5Ca0hztHuTOQLVQUMVS1. $P$ stands for the internal MD5-implementation auf phpass.

    Regarding to the the doc phpass should use MD5 only as a fallback and use bcrypt at first. (yes, bcrypt-support is installed on my system)

    Is there an reason why WordPress uses the unsafer method?

    regards
    Daniel Bachfeld
    heise Security

  2. benatkin
    Member
    Posted 2 years ago #

    > Regarding to the the doc phpass should use MD5 only as a fallback and use bcrypt at first. (yes, bcrypt-support is installed on my system)

    Regarding the fallback, it doesn't work that way. WordPress is meant to be portable. If a database gets moved from a system that has bcrypt to a system that doesn't, users will not be able to be logged in unless bcrypt is installed on the new system.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.