WordPress 6.8, the upcoming first major release of 2025 will make a drastic change as it will replace the current phpass portable hashing system with bcrypt for securing and storing user passwords in the database.
This adoption finally marks the closure of a Trac ticket, opened 13 years ago by Thorsten (th23), who first suggested this change.
Enhanced password security
John Blackbourn stated that this adoption would result in enhanced password security, “ The adoption of bcrypt hardens password security in WordPress by significantly increasing the computational cost of cracking a password hash. In addition, application passwords, user password reset keys, personal data request keys, and the recovery mode key will switch from using phpass to the cryptographically secure but fast BLAKE2b hashing algorithm via Sodium.”
Regarding this major change, he has clearly stated that neither site admins nor users need to make any adjustments on their end, “No action needs to be taken by site owners or users as a result of these changes. Passwords and security keys that were saved in prior versions of WordPress will continue to work after updating to 6.8. Users don’t need to change or reset their passwords, logged in users will remain logged in, and their sessions will remain valid.”
The existing user passwords will make use of the bcrypt the next time they change the password or log in after the update. However, things are a bit different for application passwords and security keys, “ Application passwords and security keys will not get automatically rehashed, but an existing hash will remain valid if it was generated prior to WordPress 6.8 and used before it expires.”
The post passwords will continue to use phpass portable hashing but might change in the future.
The portability of password hashes across servers and environments remains unaffected
John Blackbourn has also addressed one major concern that site owners may have due to this upcoming change and that is whether it will affect the portability of hashes that are generated by the phpass portable hashing algorithm.
He has clearly stated that this change will have no impact on the portability, “ This portability doesn’t change with this switch to bcrypt and BLAKE2b, so you can move your database from one server to another and update to newer versions of PHP and WordPress and the password hashes will continue to function as expected.”
Enhancements to password handling functions and new fast hashing functions
Firstly, two existing functions have been updated, “wp_hash_password() and wp_check_password() functions have been updated to use the PHP native password_hash() and password_verify() functions with the bcrypt algorithm and SHA-384 pre-hashing.”
Regarding wp_check_password(), it is stated, “ The wp_check_password() function retains support for passwords that were hashed using phpass, which means existing password hashes won’t be invalidated.”
A new function has also been introduced for WordPress 6.8 and is called the wp_password_needs_rehash() function, “ A new wp_password_needs_rehash() function has been introduced as a wrapper for password_needs_rehash().”
To address bcrypt’s 72-byte password length limit, SHA-384 pre-hashing has been implemented, “ Password hashes are therefore stored with a $wp prefix to distinguish them from vanilla bcrypt hashes which may be in use via a plugin. By default this means the full prefix will be $wp$2y$.”
Two new fast hashing functions have also been introduced wp_fast_hash() and wp_verify_fast_hash().
Developer advisory, impact on authentication methods, and Argon2 support
The actions that developers need to take to align with this change have also been provided, “Code that calls wp_hash_password() and wp_check_password() will continue to work as expected and does not need to change. Code that directly handles phpass hashes may need to be updated…”
The bcrypt adoption is expected to not affect any other authentication methods, “Alternative authentication mechanisms such as single sign-on (SSO), social login, or one-time login are unlikely to be affected by this change…..Multi-factor (MFA and 2FA) implementations are also unlikely to be affected by this change.”
John has also highlighted how bcrypt can be enabled on servers with Argon2 support by adding the code snippet:
add_filter( 'wp_hash_password_algorithm', fn() => PASSWORD_ARGON2ID );
The announcement post also acknowledges the efforts of the Roots team, “ Many thanks go to the Roots team for maintaining their bcrypt password hashing package for WordPress as well as the many contributors on the Trac tickets and GitHub pull requests.”
Interested folks can either refer to the Trac ticket or the discussion on GitHub to learn more about this implementation.