[wp-hackers] Password Handling Improvements - Trac Ticket #2870

Computer Guru computerguru at neosmart.net
Wed Sep 26 02:09:36 GMT 2007


> Yes, Salting with a per-blog specific value is a good idea, One that
> doesnt change between upgrades of WP too.
> Yes, Salting with a per-user specific value is a great idea.
> No, Salting does not prevent brute force attacks if its possible to
> access both hash and salt.
> Yes, Salting prevents the use of most pre-made rainbow tables, However,
> If the salt used is constant for all users of a blog, and an attacker
> can get the salt, then a rainbow table can easily be created for that
> specific blog (And given the hardware performance of today and most
> passwords being relitivly short, it wouldnt take long).

Assuming a system like this:

$password_hash = MD5( MD5($salt) . MD5($plain_text_password) );
Where $password_hash and $salt are the db columns....

The salt should NEVER be constant, or else what's the point of it? It just becomes a "customized MD5" function instead of a stock MD5, nothing more.

But you should have a different salt for each user, so that even if it is stored in plaintext in the same database and is compromised along with the password hashes, the hacker will have to - in the best case scenario - look up each and every row in the db individually... whether by rainbow tables or brute force attacks...

Whereas if no salt is deployed or a constant salt is used, the end result doesn't change: a single brute force attack and find *all* the passwords simultaneously... Only benefit of a constant salt is that renders previously created rainbow tables useless.... but that's no biggie.

This is what a users table should look like for security:

.................................
| ID |  NAME  | PASSHASH | SALT |
|...............................|
| 1  | Alpha  | 13e3ee4  | abc8 |
| 2  | Beta   | EU8ea&$  | axa! |
| e  |  t     |    c     |  .   |
.................................

That's about as secure as you can get (especially if you don't use MD5).

Feel free to correct me if I'm mistaken, it's been a while since my last crypto-related project.


-CG



More information about the wp-hackers mailing list