Prepare for bcrypt support in WordPress core

[johnbillion]

Summary

I'm proposing that WordPress core switches from phpass to bcrypt via the native password hashing functions for hashing passwords and security keys. It might go into 6.8, but we'll see. Depending on your train of thought this is somewhere between 5 and 12 years behind schedule. Alas, we can't go back in time.

My proposal aims to be compatible with existing plugins that implement bcrypt for password hashing, including roots/wp-password-bcrypt. It should be possible to either:

• Continue using roots/wp-password-bcrypt without any problems
• Remove roots/wp-password-bcrypt and not have to change or rehash passwords

I am fairly confident that the current PR is achieving both of those things but I would be grateful if anyone using this plugin would help review and test the approach. The main difference is how rehashing is performed in order to upgrade from phpass hashed passwords to bcrypt, which happens outside of wp_check_password(). The underlying reason is because this function can be used to check passwords other than a user's password, one of the reasons why roots/wp-password-bcrypt includes special handling for Application Passwords used for the REST API.

Support for the wp_hash_password_options filter from this plugin has also been included in my proposal for core.

With this change in place in core, there should be no further need for roots/wp-password-bcrypt. One approach to put it to bed but remain compatible with older versions of WordPress would be to add a conflicts entry in composer.json to declare that it conflicts with roots/wordpress and roots/wordpress-full at version 6.8 and higher.

I don't think anything needs to be done yet because we need to actually get it into core first.

What do you think?

Additional context

No response