Soatok Dreamseeker

> Using SHA for pre-hashing will cause more trouble in future upgrades (assuming we need to upgrade to argon2id one day) and will not benefit the vast majority of users...

> > > Using SHA for pre-hashing will cause more trouble in future upgrades (assuming we need to upgrade to argon2id one day) and will not benefit the vast majority...

Thankfully, this isn't anywhere near "rolling our own crypto". The SHA2+base64 paradigm has been implemented in several proprietary systems I've worked on over the past decade. I also cited password_lock...

> For `sodium_bin2base64`, it is impossible, https://github.com/WordPress/wordpress-develop/blob/71a52ced57ad8cb9fc52681abb5280c56a0b0a6c/src/wp-includes/sodium_compat/lib/php72compat.php#L146-L162 :)

As far as I'm aware, sodium_compat does not include scrypt or argon2.

> it's so far removed from any real life problem that it distracts from assessing the underlying switch to bcrypt. I respectfully disagree, for two reasons: 1. WordPress has historically...

@mbijon Your comment is wrong on several levels, including one I had been ignoring in the previous discussion because I didn't want to derail it with pedantry. Unfortunately, this pedantry...

Unrelated, I was notified because of this GitHub Actions workflow. > The following contributors have not linked their GitHub and WordPress.org accounts: @soatok. I'm not going to even _have_ a...

> Stop it @soatok. You're undermining a clear improvement on md5 with incorrect information: 1. It's generally considered rude to tell strangers to stop "it". Whatever "it" is, in this...

Meta comment: I've updated my comment earlier in the thread [to clarify one of my statements](https://github.com/WordPress/wordpress-develop/pull/7333#:~:text=On%20My%20Remark%20About%20Cryptographers%27%20Dislike%20of%20Bcrypt). I wanted to call attention to this in case it is overlooked.