wp-php-password's Introduction

WP PHP Password

Basic Replacement for WordPress Built in Passwords forked from Roots Password Bcrypt

This plugin replaces the default Password hasher PHPass used by WordPress with native PHP hashing functions allowing it to take advantage of improved algorithms like Bcrypt and Argon2.

This plugin is based on the roots original but also provides a few quality of life improvements over the Roots version which hasn't had much love in a while.

Primarily:

Wrapped in function_exists which means it will work with PHPStan and static analysis tools
Supports more then just Bcrypt for example can be extended to support Argon2

Installation

Install manually into mu-plugins folder

If installed as a regular plugin, may not run properly if another plugin is overriding password features.

Switching to Argon

function my_password_algo( $algo ){
    return PASSWORD_ARGON2ID;
}
add_filter( 'wp_php_hash_password_algorithm', 'my_password_algo' );

Your version of PHP must be compiled with argon2 support for the above to work. Also if you make use of WP-CLI then make sure the CLI version of PHP is also compiled with Argon.

You might also want to make use of wp_hash_password_options filter to provide some alternative options:

function my_password_options( $options ){
    $supports = [
        'memory_cost' => 2048, 
        'time_cost' => 4, 
        'threads' => 3
    ];
    return $supports;
}
add_filter( 'wp_hash_password_options', 'my_password_options');

Changelog

See CHANGELOG.md for notable changes per version.

wp-php-password's People

Contributors

Stargazers

Watchers

wp-php-password's Issues

Report if not overriding functions

Accidentally while testing had the plugin installed twice, as the individual functions are wrapped in function_exists() the plugin silently does nothing if another plugin is using the same functions.

We should probably at least alert the admin user in that scenario the plugin is not doing anything useful and maybe consider erroring login?

Password versioning

While the "upgrade" from PHPass to the native Password hasher is seamless, migrating from algorithms are not. Currently the only way for someone to move from Argon from Bcrypt is to reset the password.

There is no mechanism to "upgrade" or "downgrade". I'm not sure if I actually think that is in scope, knowing what Hashing algorithm used probably does make sense.

Timing Attack Prevention

While the function password_verify() is safe from Timing Attacks
https://www.php.net/manual/en/function.password-verify.php

We offer a check_password filter, which means we could end up in a scenario where a plugin or something else causes the potential for a timing attack.

It makes sense the simplest way to prevent this is by adding additional timing prevention https://www.php.net/manual/en/function.password-hash.php#124294 is a potential implementation around wp_check_password()