WordPress 2.5 uses a new password hashing scheme. Plain-old MD5 hashes are no longer used. If you share your users table with other applications or with other WordPress blogs that won’t be upgrading to 2.5 all at once, you’ll probably want to continue using MD5 hashes rather than the new hashes. We’ve created a plugin to accommodate this. With the plugin, your 2.5 blog will continue to use MD5 hashes. You should install and activate this plugin immediately after upgrading to 2.5. Users that login prior to installation of the plugin will get the new hashes, but after the plugin is active those users will be moved back to MD5 upon their next log in. If you ever want to move to the new hashes, just deactivate the plugin.
If you want to use a hash other than MD5, the plugin demonstrates how easy it is to change how passwords are hashed. Use the MD5 plugin as a template for creating your own hashing plugin.
14 thoughts on “MD5 Password Hashes for 2.5”
Good that there is an upgrade in the algorithm.
The plugin sounds neat… but what is the new hashing algorithm? I like being able to change my password manually from mysql or phpmyadmin when the password gets fubared for whatever reason.
I’ve had it happen, though I can’t think of a situation where I’d need to manually change it right now…
This is fantastic… users of Amember and the WP Plugin which has not yet been updated can use this method.
Thanks for making this available.
What’s the link to this plugin?
Great news, just what everyone needed. I upgraded to 2.5 RC2 and then downgraded soon after…lost access to my blog. The only way it can be fixed is through phpmyadmin, deleting the field which contains the password, get a new one and everything should work again. But now that we have this great plugin, then its not necessary. Cheers guys!
Neil: Upgrades are technically a one-way process. “Downgrading” is a good way to break you blog. You’re lucky though that there are are few DB changes between 2.3.x and 2.5. Next time, just make sure to backup your database before upgrading and then restore that backup if you wish to revert to the old version. You’ll save yourself a lot of future trouble.
Ryan: This is awesome. Thanks for this plugin.
@jsherk – the plugin is linked from the word plugin: http://wordpress.org/extend/plugins/md5-password-hashes/.
Seems like anything that will tighten up the ship is a good thing. Two thumbs up.
cheers for the tips viper, just made that back-up! Time to up-grade!
Alan: The algorithim basically converts the old passwords to the new hash at the time of login. The way it works is that it looks at the password field when the user logs in, and if it sees a 32-byte value, it presumes that it’s an old-style MD5 hash that has not been converted yet. It lets the user login and then converts the password.
So, you actually can still put MD5 passwords in manually using phpMyAdmin, and then they’ll get converted to the newer hashing scheme when that user first logs in.
Could anyone detail the COOKIE improvaments, instead?
I am trying to upgrade a pluging that was using another authentication scheme, and I need to generate the cookie.
wp_set_auth_cookie($UserID) seems like a no brainer function to use… (I was using the wp_setcookie before and obviously have to change that piece of the plugin…)… yet it is not working so far. It is probably something very stupid that I am not seeing… I’ll be better off to sleep, and probably tomorrow I will figure it out…
but any hint is appreaciated 🙂
Ok, nevermind my previous comment – I’ve figured it out 🙂