diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 3058986ab6..2b9d912958 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1805,6 +1805,7 @@ function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' )
 
 	// Now insert the key, hashed, into the DB.
 	if ( empty( $wp_hasher ) ) {
+		require_once ABSPATH . WPINC . '/class-phpass.php';
 		$wp_hasher = new PasswordHash( 8, true );
 	}
 	$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
@@ -2085,6 +2086,7 @@ function wp_hash_password($password) {
 	global $wp_hasher;
 
 	if ( empty($wp_hasher) ) {
+		require_once( ABSPATH . WPINC . '/class-phpass.php');
 		// By default, use the portable hash from phpass
 		$wp_hasher = new PasswordHash(8, true);
 	}
@@ -2144,6 +2146,7 @@ function wp_check_password($password, $hash, $user_id = '') {
 	// If the stored hash is longer than an MD5, presume the
 	// new style phpass portable hash.
 	if ( empty($wp_hasher) ) {
+		require_once( ABSPATH . WPINC . '/class-phpass.php');
 		// By default, use the portable hash from phpass
 		$wp_hasher = new PasswordHash(8, true);
 	}
diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index 924e3996fb..b2fc1bfe46 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -793,6 +793,7 @@ function post_password_required( $post = null ) {
 		return apply_filters( 'post_password_required', true, $post );
 	}
 
+	require_once ABSPATH . WPINC . '/class-phpass.php';
 	$hasher = new PasswordHash( 8, true );
 
 	$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
diff --git a/wp-includes/user.php b/wp-includes/user.php
index 3067278363..dcd102623a 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2121,6 +2121,7 @@ function get_password_reset_key( $user ) {
 
 	// Now insert the key, hashed, into the DB.
 	if ( empty( $wp_hasher ) ) {
+		require_once ABSPATH . WPINC . '/class-phpass.php';
 		$wp_hasher = new PasswordHash( 8, true );
 	}
 	$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
@@ -2165,6 +2166,7 @@ function check_password_reset_key($key, $login) {
 		return new WP_Error('invalid_key', __('Invalid key'));
 
 	if ( empty( $wp_hasher ) ) {
+		require_once ABSPATH . WPINC . '/class-phpass.php';
 		$wp_hasher = new PasswordHash( 8, true );
 	}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index cdd80646ee..39dac33ffa 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40382';
+$wp_version = '4.8-alpha-40387';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-login.php b/wp-login.php
index 03422b3d71..d21ce154fd 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -438,6 +438,7 @@ case 'postpass' :
 		exit();
 	}
 
+	require_once ABSPATH . WPINC . '/class-phpass.php';
 	$hasher = new PasswordHash( 8, true );
 
 	/**
diff --git a/wp-settings.php b/wp-settings.php
index 8dd0f40317..d1505c502d 100644
--- a/wp-settings.php
+++ b/wp-settings.php
@@ -100,7 +100,6 @@ require( ABSPATH . WPINC . '/class-wp-matchesmapregex.php' );
 require( ABSPATH . WPINC . '/class-wp.php' );
 require( ABSPATH . WPINC . '/class-wp-error.php' );
 require( ABSPATH . WPINC . '/pomo/mo.php' );
-require( ABSPATH . WPINC . '/class-phpass.php' );
 
 // Include the wpdb class and, if present, a db.php database drop-in.
 global $wpdb;