Security: Switch to using bcrypt for hashing user passwords and BLAKE2b for hashing application passwords and security keys.

Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.

The following new functions have been introduced:

* `wp_password_needs_rehash()`
* `wp_fast_hash()`
* `wp_verify_fast_hash()`

The following new filters have been introduced:

* `password_needs_rehash`
* `wp_hash_password_algorithm`
* `wp_hash_password_options`

Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.

Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.

Fixes #21022, #44628

git-svn-id: https://develop.svn.wordpress.org/trunk@59828 602fd350-edb4-49c9-b593-d223f7449a82

Author: johnbillion

src/wp-admin/includes/upgrade.php

@@ -980,6 +980,7 @@ function upgrade_101() {
  *
  * @ignore
  * @since 1.2.0
+ * @since 6.8.0 User passwords are no longer hashed with md5.
  *
  * @global wpdb $wpdb WordPress database abstraction object.
  */
@@ -995,13 +996,6 @@ function upgrade_110() {
 		}
 	}
 
-	$users = $wpdb->get_results( "SELECT ID, user_pass from $wpdb->users" );
-	foreach ( $users as $row ) {
-		if ( ! preg_match( '/^[A-Fa-f0-9]{32}$/', $row->user_pass ) ) {
-			$wpdb->update( $wpdb->users, array( 'user_pass' => md5( $row->user_pass ) ), array( 'ID' => $row->ID ) );
-		}
-	}
-
 	// Get the GMT offset, we'll use that later on.
 	$all_options = get_alloptions_110();
 

src/wp-includes/class-wp-application-passwords.php

@@ -60,6 +60,7 @@ public static function is_in_use() {
 	 *
 	 * @since 5.6.0
 	 * @since 5.7.0 Returns WP_Error if application name already exists.
+	 * @since 6.8.0 The hashed password value now uses wp_fast_hash() instead of phpass.
 	 *
 	 * @param int   $user_id  User ID.
 	 * @param array $args     {
@@ -95,7 +96,7 @@ public static function create_new_application_password( $user_id, $args = array(
 		}
 
 		$new_password    = wp_generate_password( static::PW_LENGTH, false );
-		$hashed_password = wp_hash_password( $new_password );
+		$hashed_password = self::hash_password( $new_password );
 
 		$new_item = array(
 			'uuid'      => wp_generate_uuid4(),
@@ -124,6 +125,7 @@ public static function create_new_application_password( $user_id, $args = array(
 		 * Fires when an application password is created.
 		 *
 		 * @since 5.6.0
+		 * @since 6.8.0 The hashed password value now uses wp_fast_hash() instead of phpass.
 		 *
 		 * @param int    $user_id      The user ID.
 		 * @param array  $new_item     {
@@ -249,6 +251,7 @@ public static function application_name_exists_for_user( $user_id, $name ) {
 	 * Updates an application password.
 	 *
 	 * @since 5.6.0
+	 * @since 6.8.0 The actual password should now be hashed using wp_fast_hash().
 	 *
 	 * @param int    $user_id User ID.
 	 * @param string $uuid    The password's UUID.
@@ -296,6 +299,8 @@ public static function update_application_password( $user_id, $uuid, $update = a
 			 * Fires when an application password is updated.
 			 *
 			 * @since 5.6.0
+			 * @since 6.8.0 The password is now hashed using wp_fast_hash() instead of phpass.
+			 *              Existing passwords may still be hashed using phpass.
 			 *
 			 * @param int   $user_id The user ID.
 			 * @param array $item    {
@@ -467,4 +472,36 @@ public static function chunk_password(
 
 		return trim( chunk_split( $raw_password, 4, ' ' ) );
 	}
+
+	/**
+	 * Hashes a plaintext application password.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param string $password Plaintext password.
+	 * @return string Hashed password.
+	 */
+	public static function hash_password(
+		#[\SensitiveParameter]
+		string $password
+	): string {
+		return wp_fast_hash( $password );
+	}
+
+	/**
+	 * Checks a plaintext application password against a hashed password.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param string $password Plaintext password.
+	 * @param string $hash     Hash of the password to check against.
+	 * @return bool Whether the password matches the hashed password.
+	 */
+	public static function check_password(
+		#[\SensitiveParameter]
+		string $password,
+		string $hash
+	): bool {
+		return wp_verify_fast_hash( $password, $hash );
+	}
 }

src/wp-includes/class-wp-recovery-mode-key-service.php

@@ -37,29 +37,18 @@ public function generate_recovery_mode_token() {
 	 * Creates a recovery mode key.
 	 *
 	 * @since 5.2.0
-	 *
-	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+	 * @since 6.8.0 The stored key is now hashed using wp_fast_hash() instead of phpass.
 	 *
 	 * @param string $token A token generated by {@see generate_recovery_mode_token()}.
 	 * @return string Recovery mode key.
 	 */
 	public function generate_and_store_recovery_mode_key( $token ) {
-
-		global $wp_hasher;
-
 		$key = wp_generate_password( 22, false );
 
-		if ( empty( $wp_hasher ) ) {
-			require_once ABSPATH . WPINC . '/class-phpass.php';
-			$wp_hasher = new PasswordHash( 8, true );
-		}
-
-		$hashed = $wp_hasher->HashPassword( $key );
-
 		$records = $this->get_keys();
 
 		$records[ $token ] = array(
-			'hashed_key' => $hashed,
+			'hashed_key' => wp_fast_hash( $key ),
 			'created_at' => time(),
 		);
 
@@ -85,16 +74,12 @@ public function generate_and_store_recovery_mode_key( $token ) {
 	 *
 	 * @since 5.2.0
 	 *
-	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
-	 *
 	 * @param string $token The token used when generating the given key.
-	 * @param string $key   The unhashed key.
+	 * @param string $key   The plain text key.
 	 * @param int    $ttl   Time in seconds for the key to be valid for.
 	 * @return true|WP_Error True on success, error object on failure.
 	 */
 	public function validate_recovery_mode_key( $token, $key, $ttl ) {
-		global $wp_hasher;
-
 		$records = $this->get_keys();
 
 		if ( ! isset( $records[ $token ] ) ) {
@@ -109,12 +94,7 @@ public function validate_recovery_mode_key( $token, $key, $ttl ) {
 			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
 		}
 
-		if ( empty( $wp_hasher ) ) {
-			require_once ABSPATH . WPINC . '/class-phpass.php';
-			$wp_hasher = new PasswordHash( 8, true );
-		}
-
-		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
+		if ( ! wp_verify_fast_hash( $key, $record['hashed_key'] ) ) {
 			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
 		}
 
@@ -169,9 +149,20 @@ private function remove_key( $token ) {
 	 * Gets the recovery key records.
 	 *
 	 * @since 5.2.0
+	 * @since 6.8.0 Each key is now hashed using wp_fast_hash() instead of phpass.
+	 *              Existing keys may still be hashed using phpass.
+	 *
+	 * @return array {
+	 *     Associative array of token => data pairs, where the data is an associative
+	 *     array of information about the key.
 	 *
-	 * @return array Associative array of $token => $data pairs, where $data has keys 'hashed_key'
-	 *               and 'created_at'.
+	 *     @type array ...$0 {
+	 *         Information about the key.
+	 *
+	 *         @type string $hashed_key The hashed value of the key.
+	 *         @type int    $created_at The timestamp when the key was created.
+	 *     }
+	 * }
 	 */
 	private function get_keys() {
 		return (array) get_option( $this->option_name, array() );
@@ -181,9 +172,19 @@ private function get_keys() {
 	 * Updates the recovery key records.
 	 *
 	 * @since 5.2.0
+	 * @since 6.8.0 Each key should now be hashed using wp_fast_hash() instead of phpass.
+	 *
+	 * @param array $keys {
+	 *     Associative array of token => data pairs, where the data is an associative
+	 *     array of information about the key.
+	 *
+	 *     @type array ...$0 {
+	 *         Information about the key.
 	 *
-	 * @param array $keys Associative array of $token => $data pairs, where $data has keys 'hashed_key'
-	 *                    and 'created_at'.
+	 *         @type string $hashed_key The hashed value of the key.
+	 *         @type int    $created_at The timestamp when the key was created.
+	 *     }
+	 * }
 	 * @return bool True on success, false on failure.
 	 */
 	private function update_keys( array $keys ) {

src/wp-includes/class-wp-user-request.php

@@ -92,6 +92,8 @@ final class WP_User_Request {
 	 * Key used to confirm this request.
 	 *
 	 * @since 4.9.6
+	 * @since 6.8.0 The key is now hashed using wp_fast_hash() instead of phpass.
+	 *
 	 * @var string
 	 */
 	public $confirm_key = '';

src/wp-includes/class-wp-user.php

@@ -11,6 +11,7 @@
  * Core class used to implement the WP_User object.
  *
  * @since 2.0.0
+ * @since 6.8.0 The `user_pass` property is now hashed using bcrypt instead of phpass.
  *
  * @property string $nickname
  * @property string $description

src/wp-includes/functions.php

@@ -9114,3 +9114,62 @@ function wp_is_heic_image_mime_type( $mime_type ) {
 
 	return in_array( $mime_type, $heic_mime_types, true );
 }
+
+/**
+ * Returns a cryptographically secure hash of a message using a fast generic hash function.
+ *
+ * Use the wp_verify_fast_hash() function to verify the hash.
+ *
+ * This function does not salt the value prior to being hashed, therefore input to this function must originate from
+ * a random generator with sufficiently high entropy, preferably greater than 128 bits. This function is used internally
+ * in WordPress to hash security keys and application passwords which are generated with high entropy.
+ *
+ * Important:
+ *
+ *  - This function must not be used for hashing user-generated passwords. Use wp_hash_password() for that.
+ *  - This function must not be used for hashing other low-entropy input. Use wp_hash() for that.
+ *
+ * The BLAKE2b algorithm is used by Sodium to hash the message.
+ *
+ * @since 6.8.0
+ *
+ * @throws TypeError Thrown by Sodium if the message is not a string.
+ *
+ * @param string $message The message to hash.
+ * @return string The hash of the message.
+ */
+function wp_fast_hash(
+	#[\SensitiveParameter]
+	string $message
+): string {
+	return '$generic$' . sodium_bin2hex( sodium_crypto_generichash( $message ) );
+}
+
+/**
+ * Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().
+ *
+ * The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,
+ * the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords
+ * which were hashed using phpass prior to WordPress 6.8.0.
+ *
+ * @since 6.8.0
+ *
+ * @throws TypeError Thrown by Sodium if the message is not a string.
+ *
+ * @param string $message The plaintext message.
+ * @param string $hash    Hash of the message to check against.
+ * @return bool Whether the message matches the hashed message.
+ */
+function wp_verify_fast_hash(
+	#[\SensitiveParameter]
+	string $message,
+	string $hash
+): bool {
+	if ( ! str_starts_with( $hash, '$generic$' ) ) {
+		// Back-compat for old phpass hashes.
+		require_once ABSPATH . WPINC . '/class-phpass.php';
+		return ( new PasswordHash( 8, true ) )->CheckPassword( $message, $hash );
+	}
+
+	return hash_equals( $hash, wp_fast_hash( $message ) );
+}