[wp-hackers] Password Handling Improvements - Trac Ticket #2870

DD32 wordpress at dd32.id.au
Wed Sep 26 00:54:57 GMT 2007


Thats a good article, But theres one thing i hate about the articles about salting:
Salting prevents Rainbow table lookup, but if your having to store the salt along with the password, It wont do anything to prevent a brute force attack, or a targetted rainbow table.

The article says that the aim of the game is to make the salt long enough that the string is too long to be brute forced, but hold up there, If they're stored together, then you've allready got the first 128 characters of the hashed string(the salt), therefor the brute force attack is now going to take the same time regardless if the password is stored with a salt or not.

So:
Yes, Salting with a per-blog specific value is a good idea, One that doesnt change between upgrades of WP too.
Yes, Salting with a per-user specific value is a great idea.
No, Salting does not prevent brute force attacks if its possible to access both hash and salt.
Yes, Salting prevents the use of most pre-made rainbow tables, However, If the salt used is constant for all users of a blog, and an attacker can get the salt, then a rainbow table can easily be created for that specific blog (And given the hardware performance of today and most passwords being relitivly short, it wouldnt take long).

So the outcome? Adding a salt will prevent the use of Generic Rainbow tables.

But whats the hashing speed of MD5 these days? Anything from 50 to 500 hash's a second on todays average hardware can be expected it seems, Theres probably more efficient algorithms too, keeping in mind that many passwords will not be cryptographicaly secure, my last password could be cracked within a few minutes with brute force, And i thought it looked pretty random secure -- Aparantly i was wrong.

D

On Wed, 26 Sep 2007 00:27:38 +0100, Computer Guru <computerguru at neosmart.net> wrote:

> If you're not going to use SHA-512, then you MUST read this excellent article on the topic of correct storage procedures for passwords in databases by Jeff Atwood: http://www.codinghorror.com/blog/archives/000953.html
>
> It's a must-read for anyone storing passwords or other sensitive info in the DB that you don't NEED to have the original value for.
>
> Computer Guru
> NeoSmart Technologies
> http://neosmart.net/
>
>
>> -----Original Message-----
>> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
>> bounces at lists.automattic.com] On Behalf Of Callum Macdonald
>> Sent: Wednesday, September 26, 2007 12:36 AM
>> To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Password Handling Improvements - Trac Ticket
>> #2870
>>
>> I think generating passwords automatically is a good idea. I think
>> overall, it will lead to a net gain in security. I'd support
>> lengthening
>> the password though, and definitely changing the algorithm that builds
>> them. I notice there's a lot of numbers in them (I set up a lot of wp
>> installs on a dev server).
>>
>> I'd also be in favour of storing the passwords differently, adding a
>> unique salt value with each user and storing the md5 of the password
>> plus the salt. That would protect user accounts from rainbow attacks.
>> Anyone else think it's worth the effort?
>>
>> Cheers - Callum.
>>
>> David Weitz wrote:
>> > I'm referring to this: http://trac.wordpress.org/ticket/2870
>> >
>> > I would have to make a new patch if we were to decide to put it in
>> > 2.4, but I just wanted to see what other people think.
>> >
>> > I know people probably don't create as secure passwords at the system
>> > does, but they're going to change it to what they want and it will be
>> > easier to just allow them, if they want, to make their own when they
>> > create a new installation. I say that we can take the middle ground
>> of
>> > having a checkbox that can be checked if you would rather have WP
>> > create a password. If the user wants to create his own, it would have
>> > a password and confirm password box.
>> >
>> > Any other ideas?
>> >
>> > --
>> > Dave
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>> >
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 





More information about the wp-hackers mailing list