[wp-hackers] Password Handling Improvements - Trac Ticket #2870

David Weitz dabbaking at gmail.com
Tue Sep 25 22:08:30 GMT 2007


A salt would be a good idea. Maybe we can do like registration time + 
sha1 of password?

Callum Macdonald wrote:
> I think generating passwords automatically is a good idea. I think 
> overall, it will lead to a net gain in security. I'd support lengthening 
> the password though, and definitely changing the algorithm that builds 
> them. I notice there's a lot of numbers in them (I set up a lot of wp 
> installs on a dev server).
> 
> I'd also be in favour of storing the passwords differently, adding a 
> unique salt value with each user and storing the md5 of the password 
> plus the salt. That would protect user accounts from rainbow attacks. 
> Anyone else think it's worth the effort?
> 
> Cheers - Callum.
> 
> David Weitz wrote:
>> I'm referring to this: http://trac.wordpress.org/ticket/2870
>>
>> I would have to make a new patch if we were to decide to put it in 
>> 2.4, but I just wanted to see what other people think.
>>
>> I know people probably don't create as secure passwords at the system 
>> does, but they're going to change it to what they want and it will be 
>> easier to just allow them, if they want, to make their own when they 
>> create a new installation. I say that we can take the middle ground of 
>> having a checkbox that can be checked if you would rather have WP 
>> create a password. If the user wants to create his own, it would have 
>> a password and confirm password box.
>>
>> Any other ideas?
>>
>> -- 
>> Dave
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 


More information about the wp-hackers mailing list