[wp-hackers] Wordpress Cookie Authentication Vulnerability
computerguru at neosmart.net
Thu Nov 22 02:40:32 GMT 2007
Honestly, I'm surprised WP hasn't done that already... But that does not
address the main issue here (which should NEVER occur if you take care of
your stuff... *assuming* wp doesn't have any exploits) and that is how to
maintain user password integrity after being hacked.
(Oh, and if we're going with a SALT, we had damn-well better not use MD5...)
On 11/22/07, Callum Macdonald <lists.automattic.com at callum-macdonald.com>
> I think it would be a significant improvement to store each password
> with a randomly generated salt. I think using a random salt based on the
> current microtime would be sufficient.
> This would negate md5 rainbow attacks in reversing passwords from the
> database. Plus, it's relatively easy to compute. It's a simple, elegant
> Cheers - Callum.
> Computer Guru wrote:
> > On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
> >> Manually picking and having to change a salt often is major pain in the
> >> ass
> >> and something the average user won't do.
> >> Better to have it be automated if you ask me.
> > That's not exactly difficult though, :-D
> > A big red button "I've been hacked!"
> > Clicky-the-button:
> > WP adds a new column, randomly generated salt (salt1, salt2, salt3).
> > WP re-creates password hashes: password_hash = md5(currenthash .
> > md5(latestsalt))
> > WP updates login routine from password_hash = md5(password . md5(salt1)
> > password_hash = md5( md5(password . md5(salt1) . md5(salt2) )
> > It's excellent in principle IMHO... but it can quickly get out of hand
> > Besides the time it takes to perform 4 md5 calculations verses the
> > (and if you get hacked again, it would be 8!), it's too hackish for my
> > liking.
> > So yeah, it would be great for when Digg gets hacked, krose can just add
> > second salt be done with it. But I don't think (even though this was my
> > :lol:) that this would work for a distributed package that we expect
> > to install who probably don't know what MD5 is in the first place.......
> > Obviously the ideal solution would be to use reversible encryption
> > of a MD5 hash. When the db gets hacked, reverse the encryption to obtain
> > plain-text password, reset the SALT column to new random values, and
> > recreate the hash once more.
> > Which brings me to yet another question:
> > 1) Do you WANT to trust *ALL* the WP users out there to have a
> > hash of user's passwords in the DB? Sure, they can easily modify the
> > code to log passwords before hashing them, but that takes some hacking
> > talent - and hackers have their own code of ethics to adhere to ;)
> > Seriously though, if you present the password as a reversible
> > you'll be giving script kiddies the time of their life. But it DOES
> > the problem.....
> > 2) Are there any *uncracked* encryption libraries for PHP out there?
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers