[wp-hackers] Rethinking check_admin_referer()

[Sam Angove]

On 4/22/06, Robert Deaton <false.hopes at gmail.com> wrote:
>
> First, you'd have to get a nonce. Explain to me how you would even
> approach that, and then maybe this code is valid, but even at that
> point, the time to md5 an entire database is weeks, and that won't
> even cover all passwords. Like was posted before, for all alphanumeric
> passwords 8 characters long, it'd take the average PC 3 years to
> crack. Think about the time it'd take in the range of 6-12 characters,
> you're talking about spending your lifetime cracking one md5 password.
> This is unrealistic, and like Owen said, when someone comes up with a
> working exploit, post again, otherwise, drop it.

Any registered user can get their own nonce with that notorious hacker
trick, "view source". Dastardly!

re: the various challenges offered, it's been pointed out time and
again that people on this list aren't representative users. I don't
have a dictionary word as a password; my mum does. That puts the
keyspace down from > 2500000000000 to less than 100000. That's an
afternoon, not a lifetime. Someone that actually cared could use
rainbow tables and do any  8-char alphanumeric password in < 20
minutes, but that person is not me.

Seriously though, I don't care about this "attack", I'm not being
paranoid, and I don't think this is something anyone's ever actually
going to do. I'm just pointing out that it's theoretically possible,
and it's silly to leave it when it can be trivially avoided by adding
extra salt or doing something like what the DB backup plugin does:

   substr( md5( md5( DB_PASSWORD ) ), -5 )