I’m happy to see WordPress is adopting bcrypt for password hashes. I have been following the trac ticket for over 10 years š¤Æ Quite a few people got props on this one.
If you’re not familiar, until now WordPress used a library called phpass for hashing passwords. WordPress has a history of maintaining backwards compatibility with pretty old versions of PHP, which is great for users who don’t know how to upgrade things like PHP, but one of the trade offs is delaying support for things like bcrypt.
We canāt pretend that switching to bcrypt for user-generated passwords is a recent proposal. Ideally the switch would have been made back when the increase to the minimum supported version of PHP facilitated this change. However, this change has now been made and it helps future-proof further improvements to password hashing, including increases to the bcrypt cost in newer versions of PHP.
Many thanks go to the Roots team for maintaining their bcrypt password hashing package for WordPress as well as the many contributors on the Trac tickets and GitHub pull requests.
Also thanks to John and everyone involved for getting this into WordPress 6.8.