[wp-testers] Wordpress Google MD5 hash crack
PkbCS Contact
contact at pkbcs.com
Wed Nov 21 16:33:47 GMT 2007
Obtaining the MD5 hash is not that difficult. A lot of shared hosts do
not protect the web roots of their users properly which makes it a
trivial task to obtain the contents of wp-config.php and connect to the
user's database and obtain the hash. Simply using word that are not a
part of any language will keep you safe against weaker cracking
attempts; however, a determined hacker can, and will make use of rainbow
tables which have hashes not only for dictionary words, but also huge
collections of random alphanumeric and special character strings.
So, IF the host is setup properly, IF the application is not vulnerable
to queries that can return the admin password hash and IF the hacker is
not determined enough to use a rainbow table to crack the hash, then
yes, it's nothing to worry about.
From what I understand, it's a relatively trivial matter to add a
"salt" function that would further protect the MD5 hash. I believe this
would be the best solution because the upgrade script could prompt the
user for a salt string and the hashes could be converted as part of the
upgrade process. Another option is generating the salt string
automatically and outputting it for the user to save in a safe place.
Bull3t wrote:
> You need to know the MD5 hash of the password in the first place and even
> then it is just luck of the draw, it really isn't that worrying. Just use a
> password that isn't part of a language?
>
>
> --------------------------------------------
> Bull3t
> http://www.bull3t.me.uk/
>
>
>> -----Original Message-----
>> From: wp-testers-bounces at lists.automattic.com [mailto:wp-testers-
>> bounces at lists.automattic.com] On Behalf Of Pål GD
>> Sent: 21 November 2007 13:45
>> To: wp-testers at lists.automattic.com
>> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
>>
>> Cornell Finch wrote:
>>
>>> I know this probably isn't the right place to put this but I don't
>>> know where else to submit it:
>>>
>>> http://www.theregister.co.uk/2007/11/21/google_md5_crack/
>>>
>>> Is this something we should be worried about?
>>>
>>> Collin
>>>
>> Yes, indeed. Wordpress should have been doing salting[1], which I don't
>> think they do.
>>
>> [1] http://en.wikipedia.org/wiki/Salting_(cryptography)
>> _______________________________________________
>> wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
>>
> 21/11/2007
>
>> 10:01
>>
>>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007
> 10:01
>
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
>
--
Best regards,
James Morris
PkbCS, LLC
contact at pkbcs.com
http://pkbcs.com/
More information about the wp-testers
mailing list