Seravo doesn't use bcrypt hashing for passwords but rather MD5

[joonamakinen]

When importing database from Seravo to local Roots Bedrock, all password hashes start with $P$B and are clearly in MD5 form. As Roots Bedrock merged bcrypt hashing plugin to be on by default 8 years ago, when changing user password with WP CLI, new user passwords start with $2y$10$ and are clearly in longer, bcrypt-form.

MD5 hashing is considered insecure and Seravo no longer supports PHP <5.5 that required said removal of bcrypt support.

Roots article about password security: https://roots.io/improving-wordpress-password-security/.

Presumably if fixed, only needs roots/wp-password-bcrypt composer package to be in composer.json. Source code for said plugin: https://github.com/roots/wp-password-bcrypt. As described, it will retroactively work on old, unchanged MD5 passwords and bcrypt-hashed passwords will work without the plugin as well.

[ypcs]

Hi, and thanks for bringing this topic up. Like you mentioned, our template has used WordPress default hashing, which definitely is not good - if malicious actor gains access to such password hashes, it would be trivial to determine the original password, which could then be used eg. for credential stuffing attacks.

While our goal is to make this template more minimalistic in future, we'll do this change, as improving security should always be top priority.