WP uses md5 with key stretching to hash passwords. This is moderately secure, but using bcrypt instead would be significantly more secure. (Argon2 might be even better, but I have no experience with it, whereas I have been using bcrypt for a couple of years, so I know it works fine.)
WP hasn’t done this because it supports PHP versions lower than 5.5. Since we have already agreed to drop support for versions of PHP below 5.6, we should be in a position to implement this. See http://php.net/manual/en/function.password-hash.php
Read-only archive: https://petitions.classicpress.net/posts/69/hash-passwords-with-bcrypt-instead-of-md5
Author: Tim Kaye
Vote count: 76
Status: open
Tags:
- request-modify-feature
Comments