#21022 Switch to using bcrypt for hashing passwords and security keys

src/wp-admin/includes/upgrade.php

@@ -965,6 +965,7 @@ function upgrade_101() {
  *
  * @ignore
  * @since 1.2.0
+ * Since x.y.z User passwords are no longer hashed with md5.
  *
  * @global wpdb $wpdb WordPress database abstraction object.
  */
@@ -980,13 +981,6 @@ function upgrade_110() {
 		}
 	}
 
-	$users = $wpdb->get_results( "SELECT ID, user_pass from $wpdb->users" );
-	foreach ( $users as $row ) {
-		if ( ! preg_match( '/^[A-Fa-f0-9]{32}$/', $row->user_pass ) ) {
-			$wpdb->update( $wpdb->users, array( 'user_pass' => md5( $row->user_pass ) ), array( 'ID' => $row->ID ) );
-		}
-	}
-
 	// Get the GMT offset, we'll use that later on.
 	$all_options = get_alloptions_110();
 

src/wp-includes/class-wp-application-passwords.php

@@ -249,6 +249,7 @@ public static function application_name_exists_for_user( $user_id, $name ) {
 	 * Updates an application password.
 	 *
 	 * @since 5.6.0
+	 * @since x.y.z The actual password should now be hashed using bcrypt instead of phpass. See wp_hash_password().
 	 *
 	 * @param int    $user_id User ID.
 	 * @param string $uuid    The password's UUID.
@@ -284,6 +285,11 @@ public static function update_application_password( $user_id, $uuid, $update = a
 				$save         = true;
 			}
 
+			if ( ! empty( $update['password'] ) && $item['password'] !== $update['password'] ) {
+				$item['password'] = $update['password'];
+				$save             = true;
+			}
+
 			if ( $save ) {
 				$saved = static::set_user_application_passwords( $user_id, $passwords );
 
@@ -296,6 +302,8 @@ public static function update_application_password( $user_id, $uuid, $update = a
 			 * Fires when an application password is updated.
 			 *
 			 * @since 5.6.0
+			 * @since x.y.z The password is now hashed using bcrypt instead of phpass.
+			 *              Existing passwords may still be hashed using phpass.
 			 *
 			 * @param int   $user_id The user ID.
 			 * @param array $item    {

src/wp-includes/class-wp-recovery-mode-key-service.php

@@ -37,24 +37,15 @@ public function generate_recovery_mode_token() {
 	 * Creates a recovery mode key.
 	 *
 	 * @since 5.2.0
-	 *
-	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+	 * @since x.y.z The stored key is now hashed using bcrypt instead of phpass.
 	 *
 	 * @param string $token A token generated by {@see generate_recovery_mode_token()}.
 	 * @return string Recovery mode key.
 	 */
 	public function generate_and_store_recovery_mode_key( $token ) {
-
-		global $wp_hasher;
-
 		$key = wp_generate_password( 22, false );
 
-		if ( empty( $wp_hasher ) ) {
-			require_once ABSPATH . WPINC . '/class-phpass.php';
-			$wp_hasher = new PasswordHash( 8, true );
-		}
-
-		$hashed = $wp_hasher->HashPassword( $key );
+		$hashed = wp_hash_password( $key );
 
 		$records = $this->get_keys();
 
@@ -85,16 +76,12 @@ public function generate_and_store_recovery_mode_key( $token ) {
 	 *
 	 * @since 5.2.0
 	 *
-	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
-	 *
 	 * @param string $token The token used when generating the given key.
-	 * @param string $key   The unhashed key.
+	 * @param string $key   The plain text key.
 	 * @param int    $ttl   Time in seconds for the key to be valid for.
 	 * @return true|WP_Error True on success, error object on failure.
 	 */
 	public function validate_recovery_mode_key( $token, $key, $ttl ) {
-		global $wp_hasher;
-
 		$records = $this->get_keys();
 
 		if ( ! isset( $records[ $token ] ) ) {
@@ -109,12 +96,7 @@ public function validate_recovery_mode_key( $token, $key, $ttl ) {
 			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
 		}
 
-		if ( empty( $wp_hasher ) ) {
-			require_once ABSPATH . WPINC . '/class-phpass.php';
-			$wp_hasher = new PasswordHash( 8, true );
-		}
-
-		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
+		if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
 			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
 		}
 
@@ -169,9 +151,20 @@ private function remove_key( $token ) {
 	 * Gets the recovery key records.
 	 *
 	 * @since 5.2.0
+	 * @since x.y.z Each key is now hashed using bcrypt instead of phpass.
+	 *              Existing keys may still be hashed using phpass.
+	 *
+	 * @return array {
+	 *     Associative array of token => data pairs, where the data is an associative
+	 *     array of information about the key.
 	 *
-	 * @return array Associative array of $token => $data pairs, where $data has keys 'hashed_key'
-	 *               and 'created_at'.
+	 *     @type array ...$0 {
+	 *         Information about the key.
+	 *
+	 *         @type string $hashed_key The hashed value of the key.
+	 *         @type int    $created_at The timestamp when the key was created.
+	 *     }
+	 * }
 	 */
 	private function get_keys() {
 		return (array) get_option( $this->option_name, array() );
@@ -181,9 +174,19 @@ private function get_keys() {
 	 * Updates the recovery key records.
 	 *
 	 * @since 5.2.0
+	 * @since x.y.z Each key should now be hashed using bcrypt instead of phpass.
+	 *
+	 * @param array $keys {
+	 *     Associative array of token => data pairs, where the data is an associative
+	 *     array of information about the key.
+	 *
+	 *     @type array ...$0 {
+	 *         Information about the key.
 	 *
-	 * @param array $keys Associative array of $token => $data pairs, where $data has keys 'hashed_key'
-	 *                    and 'created_at'.
+	 *         @type string $hashed_key The hashed value of the key.
+	 *         @type int    $created_at The timestamp when the key was created.
+	 *     }
+	 * }
 	 * @return bool True on success, false on failure.
 	 */
 	private function update_keys( array $keys ) {

src/wp-includes/class-wp-user-request.php

@@ -92,6 +92,8 @@ final class WP_User_Request {
 	 * Key used to confirm this request.
 	 *
 	 * @since 4.9.6
+	 * @since x.y.z The key is now hashed using bcrypt instead of phpass.
+	 *
 	 * @var string
 	 */
 	public $confirm_key = '';

src/wp-includes/class-wp-user.php

@@ -11,6 +11,7 @@
  * Core class used to implement the WP_User object.
  *
  * @since 2.0.0
+ * @since x.y.z The `user_pass` property is now hashed using bcrypt instead of phpass.
  *
  * @property string $nickname
  * @property string $description

src/wp-includes/pluggable.php

@@ -2603,90 +2603,129 @@ function wp_hash( $data, $scheme = 'auth' ) {
 	 * instead use the other package password hashing algorithm.
 	 *
 	 * @since 2.5.0
+	 * @since x.y.z The password is now hashed using bcrypt instead of phpass.
 	 *
-	 * @global PasswordHash $wp_hasher PHPass object.
+	 * @global PasswordHash $wp_hasher phpass object.
 	 *
 	 * @param string $password Plain text user password to hash.
 	 * @return string The hash string of the password.
 	 */
 	function wp_hash_password( $password ) {
 		global $wp_hasher;
 
-		if ( empty( $wp_hasher ) ) {
-			require_once ABSPATH . WPINC . '/class-phpass.php';
-			// By default, use the portable hash from phpass.
-			$wp_hasher = new PasswordHash( 8, true );
+		if ( ! empty( $wp_hasher ) ) {
+			return $wp_hasher->HashPassword( trim( $password ) );
 		}
 
-		return $wp_hasher->HashPassword( trim( $password ) );
+		/**
+		 * Filters the options passed to the password_hash() and password_needs_rehash() functions.
+		 *
+		 * @since x.y.z
+		 *
+		 * @param array $options Array of options to pass to the password hashing functions.
+		 *                       By default this is an empty array which means the default
+		 *                       options will be used.
+		 */
+		$options = apply_filters( 'wp_hash_password_options', array() );
+
+		return password_hash( trim( $password ), PASSWORD_BCRYPT, $options );
 	}
 endif;
 
 if ( ! function_exists( 'wp_check_password' ) ) :
 	/**
 	 * Checks a plaintext password against a hashed password.
 	 *
-	 * Maintains compatibility between old version and the new cookie authentication
-	 * protocol using PHPass library. The $hash parameter is the encrypted password
-	 * and the function compares the plain text password when encrypted similarly
-	 * against the already encrypted password to see if they match.
+	 * Note that this function is used for checking more than just user passwords, for
+	 * example it's used for checking application passwords, post passwords, recovery mode
+	 * keys, user password reset keys, and more. There is not always a user ID associated
+	 * with the password.
 	 *
 	 * For integration with other applications, this function can be overwritten to
 	 * instead use the other package password hashing algorithm.
 	 *
 	 * @since 2.5.0
+	 * @since x.y.z Passwords in WordPress are now hashed with bcrypt by default. A
+	 *              password that wasn't hashed with bcrypt will be checked with phpass.
+	 *              Passwords hashed with md5 are no longer supported.
 	 *
-	 * @global PasswordHash $wp_hasher PHPass object used for checking the password
-	 *                                 against the $hash + $password.
-	 * @uses PasswordHash::CheckPassword
+	 * @global PasswordHash $wp_hasher phpass object. Used as a fallback for verifying
+	 *                                 passwords that were hashed with phpass.
 	 *
-	 * @param string     $password Plaintext user's password.
-	 * @param string     $hash     Hash of the user's password to check against.
-	 * @param string|int $user_id  Optional. User ID.
+	 * @param string     $password Plaintext password.
+	 * @param string     $hash     Hash of the password to check against.
+	 * @param string|int $user_id  Optional. ID of a user associated with the password.
 	 * @return bool False, if the $password does not match the hashed password.
 	 */
 	function wp_check_password( $password, $hash, $user_id = '' ) {
 		global $wp_hasher;
 
-		// If the hash is still md5...
-		if ( strlen( $hash ) <= 32 ) {
-			$check = hash_equals( $hash, md5( $password ) );
-			if ( $check && $user_id ) {
-				// Rehash using new hash.
-				wp_set_password( $password, $user_id );
-				$hash = wp_hash_password( $password );
-			}
+		$check = false;
 
+		// If the hash is still md5 or otherwise truncated then invalidate it.
+		if ( strlen( $hash ) <= 32 ) {
 			/**
-			 * Filters whether the plaintext password matches the encrypted password.
+			 * Filters whether the plaintext password matches the hashed password.
 			 *
 			 * @since 2.5.0
+			 * @since x.y.z Passwords are now hashed with bcrypt by default.
+			 *              Old passwords may still be hashed with phpass.
 			 *
 			 * @param bool       $check    Whether the passwords match.
 			 * @param string     $password The plaintext password.
 			 * @param string     $hash     The hashed password.
-			 * @param string|int $user_id  User ID. Can be empty.
+			 * @param string|int $user_id  Optional ID of a user associated with the password.
+			 *                             Can be empty.
 			 */
 			return apply_filters( 'check_password', $check, $password, $hash, $user_id );
 		}
 
-		/*
-		 * If the stored hash is longer than an MD5,
-		 * presume the new style phpass portable hash.
-		 */
-		if ( empty( $wp_hasher ) ) {
+		if ( ! empty( $wp_hasher ) ) {
+			$check = $wp_hasher->CheckPassword( $password, $hash );
+		} elseif ( str_starts_with( $hash, '$P$' ) ) {
 			require_once ABSPATH . WPINC . '/class-phpass.php';
-			// By default, use the portable hash from phpass.
-			$wp_hasher = new PasswordHash( 8, true );
+			// Use the portable hash from phpass.
+			$hasher = new PasswordHash( 8, true );
+			$check  = $hasher->CheckPassword( $password, $hash );
+		} else {
+			$check = password_verify( $password, $hash );
 		}
 
-		$check = $wp_hasher->CheckPassword( $password, $hash );
-
 		/** This filter is documented in wp-includes/pluggable.php */
 		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
 	}
 endif;
 
+if ( ! function_exists( 'wp_password_needs_rehash' ) ) :
+	/**
+	 * Checks whether a password hash needs to be rehashed.
+	 *
+	 * Passwords are hashed with bcrypt using the default cost. A password hashed in a prior version
+	 * of WordPress may still be hashed with phpass and will need to be rehashed. If the default cost
+	 * or algorithm is changed in PHP or WordPress then a password hashed in a previous version will
+	 * need to be rehashed.
+	 *
+	 * @since x.y.z
+	 *
+	 * @global PasswordHash $wp_hasher phpass object.
+	 *
+	 * @param string $hash Hash of a password to check.
+	 * @return bool Whether the hash needs to be rehashed.
+	 */
+	function wp_password_needs_rehash( $hash ) {
+		global $wp_hasher;
+
+		if ( ! empty( $wp_hasher ) ) {
+			return false;
+		}
+
+		/** This filter is documented in wp-includes/pluggable.php */
+		$options = apply_filters( 'wp_hash_password_options', array() );
+
+		return password_needs_rehash( $hash, PASSWORD_BCRYPT, $options );
+	}
+endif;
+
 if ( ! function_exists( 'wp_generate_password' ) ) :
 	/**
 	 * Generates a random password drawn from the defined set of characters.
@@ -2835,6 +2874,7 @@ function wp_rand( $min = null, $max = null ) {
 	 * of password resets if precautions are not taken to ensure it does not execute on every page load.
 	 *
 	 * @since 2.5.0
+	 * @since x.y.z The password is now hashed using bcrypt instead of phpass.
 	 *
 	 * @global wpdb $wpdb WordPress database abstraction object.
 	 *

src/wp-includes/post-template.php

@@ -882,14 +882,11 @@ function post_password_required( $post = null ) {
 		return apply_filters( 'post_password_required', true, $post );
 	}
 
-	require_once ABSPATH . WPINC . '/class-phpass.php';
-	$hasher = new PasswordHash( 8, true );
-
 	$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
-	if ( ! str_starts_with( $hash, '$P$B' ) ) {
+	if ( ! str_starts_with( $hash, '$' ) ) {
 		$required = true;
 	} else {
-		$required = ! $hasher->CheckPassword( $post->post_password, $hash );
+		$required = ! wp_check_password( $post->post_password, $hash );
 	}
 
 	/**