PHP Native Password Hash

This plugin swaps out WordPress core’s password hashing mechanism with PHP 5.5’s password_hash() and its accompanying functions. By default, PHP uses bcrypt to hash the passwords. If available, this plugin will use modern Argon2 algorithm. The transition will be transparent.

• A password salt will be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
• Password hashes are safe from dictionary attacks with rainbow tables or any other precomputed hash lists, because a secure salt is generated for each password.
• The password hashing is iterated multiple times to provide a good resistance against brute-force attacks.
• Password checks are made in a way that it mitigates time-attacks.
• You do not have to reset passwords of all users. Passwords already hashed in the database will be rehashed automatically and transparently the next time the user logs in.
• PHP might come up with newer password hashing algorithms, and they will be automatically supported without having to reset all the passwords.

This plugin was made initially because one of our applications used WordPress for authentication, but we needed to use an external system
to verify the passwords directly from the database too. Since WordPress has its own password hashing algorithm, we decided to make this plugin to address that problem.
With this plugin, passwords generated by both WordPress and other custom applications now use the PHP’s default password_hash() functions without compromising any of the applications’ security.

This plugin is designed to be as minimal and fast as possible, and can be considered a must-use for EVERY WordPress application given the minimal footprint of this plugin, and considering the importance of using a secure hashing algorithm for passwords.