Phpassnot using bcrypt for password encryption

  • Hi, i’ve just noticed, that stored passwords are only secured with the unsafer MD5/Salt/Rounds configuration on a Ubuntu system. The entry in the database is $P$ByIsE1Zz59c5Ca0hztHuTOQLVQUMVS1. $P$ stands for the internal MD5-implementation auf phpass.

    Regarding to the the doc phpass should use MD5 only as a fallback and use bcrypt at first. (yes, bcrypt-support is installed on my system)

    Is there an reason why WordPress uses the unsafer method?

    regards
    Daniel Bachfeld
    heise Security

Viewing 1 replies (of 1 total)

  • > Regarding to the the doc phpass should use MD5 only as a fallback and use bcrypt at first. (yes, bcrypt-support is installed on my system)

    Regarding the fallback, it doesn’t work that way. WordPress is meant to be portable. If a database gets moved from a system that has bcrypt to a system that doesn’t, users will not be able to be logged in unless bcrypt is installed on the new system.

Viewing 1 replies (of 1 total)
  • The topic ‘Phpassnot using bcrypt for password encryption’ is closed to new replies.