lib/Crypto/Phpass: support new hashes of wordpress 6.8

StalkR · StalkR · commit 71df55439c39 · 2025-05-14T15:09:34.000+02:00
diff --git a/lib/Crypto/Phpass.php b/lib/Crypto/Phpass.php
@@ -53,6 +53,12 @@ public function __construct(IL10N $localization, $iterationCount = 8)
      */
     public function checkPassword($password, $dbHash, $salt = null)
     {
+        // WordPress 6.8 upgraded password hashing for bcrypt
+        // https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/
+        if (str_starts_with( $dbHash, '$wp' )) {
+            $password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
+            return password_verify( $password_to_verify, substr( $dbHash, 3 ) );
+        }
         return hash_equals($dbHash, $this->crypt($password, $dbHash));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,12 @@ public function __construct(IL10N $localization, $iterationCount = 8)`
`53`	`53`	`*/`
`54`	`54`	`public function checkPassword($password, $dbHash, $salt = null)`
`55`	`55`	`{`
	`56`	`+ // WordPress 6.8 upgraded password hashing for bcrypt`
	`57`	`+ // https://make.wordpress.org/core/2025/02/17/wordpress-6-8-will-use-bcrypt-for-password-hashing/`
	`58`	`+ if (str_starts_with( $dbHash, '$wp' )) {`
	`59`	`+ $password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );`
	`60`	`+ return password_verify( $password_to_verify, substr( $dbHash, 3 ) );`
	`61`	`+ }`
`56`	`62`	`return hash_equals($dbHash, $this->crypt($password, $dbHash));`
`57`	`63`	`}`
`58`	`64`