Also Can’t change Hashing Algorithm

  • Resolved RayBernard

    (@raybernard)


    4 years, 4 months ago

    I am running the following:
    WordPress 5.5.1
    Better Passwords version
    PHP 7.4.11
    mySQL 5.7.23

    I also cannot change the Hashing Algorithm from the default.

    Looking at the plugin code, the advanced algorithm selection options are disabled after (
    wisely) checking to see if the compiled version of PHP supports them. There is nothing in the plugin documentation that states this requirement complication. It’s not just the version number itself.

    From the PHP documentation on the password_hash() function used by the Better Words plugin (the italic emphasis is mine):

    password_hash() creates a new password hash using a strong one-way hashing algorithm. The following algorithms are currently supported:

    PASSWORD_DEFAULT – Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

    PASSWORD_BCRYPT – Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the “$2y$” identifier. The result will always be a 60 character string, or FALSE on failure.

    PASSWORD_ARGON2I – Use the Argon2i hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.

    PASSWORD_ARGON2ID – Use the Argon2id hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.

    Better Passwords verifies that Argon2i and Argon2id are available by attempting to create a hash. If the attempt fails, that algorithm’s option is disabled.

    So I guess I’ll have to check with the hosting company to see about getting the required compilation of PHP 7.4.

    Rik, please update the Better Passwords documentation to include this information.

    In the meantime, I’m happy using the Bcrypt default option as this passwords functionality is far better than what WordPress itself offers.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter RayBernard

    (@raybernard)

    FOUND THE ISSUE. When my hosting provider said that the PHP versions WERE compiled with the advanced hash algorithm support, I looked deeper and found the issue.

    A change to the function password_hash() in PHP 7.4.0 invalidated one line of code in the Better Passwords function better_pass_check_algorithm(). The function’s purpose is to verify that the algorithm is defined as a constant in the environment before allowing it to be enabled. Good coding, but it got invalidated.

    The PASSWORD_BCRYPT, PASSWORD_ARGON2I and PASSWORD_ARGON2ID constants used to be defined as integers but now are strings. The PHP password_hash() function still accepts integers for backwards compatibility, but the constants are now defined as strings.

    Thus, when the better_pass_check_algorithm() function assigns an advanced algorithm constant to $alg and then uses is_int($alg)) to checks for it, the validation always fails. The plugin doesn’t perform that check for PASSWORD_BCRYPT, because it’s already known to be there. Hence the two disabled advanced algorithm selections on the plugin’s Settings page.

    In better-passwords.php – in the better_pass_check_algorithm() – I modified line 214 from:

    if(is_int($alg)) {

    to:

    if(is_int($alg) or is_string($alg)) {

    and now all three algorithm selections are enabled on the Settings page.

    Plugin Author Rik Lewis

    (@riklewis)

    I apologise, I responded to this emails directly and not here on the support forum.

    As discussed via email, thank you for finding and reporting this issue, I will release and update with your fix shortly.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Also Can’t change Hashing Algorithm’ is closed to new replies.