[wp-trac] [WordPress Trac] #33904: user_activation_key is too short causing password reset process to break when using bcrypt

WordPress Trac noreply at wordpress.org
Wed Sep 16 20:18:31 UTC 2015


#33904: user_activation_key is too short causing password reset process to break
when using bcrypt
--------------------------+-----------------------------
 Reporter:  tomdxw        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  4.3
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The field for storing the hash of the password reset token
 (user_activation_key in wp_users) is a varchar(60).

 In 4.3, WordPress very wisely started including a timestamp field in
 user_activation_key. This poses no problem when using the default
 "portable" hashing algorithm which takes up 34 bytes in string form.

 The timestamp plus the colon plus the hash takes up just 45 bytes. Plenty
 of space left over.

 However, at my company we use a plugin which replaces the default
 $wp_hasher instance with something that produces slightly harder-to-crack
 hashes (i.e. bcrypt):

     $wp_hasher = new PasswordHash(12, false);

 bcrypt produces password hashes which are 60 bytes long. So the
 timestamped hash would be 71 bytes long.

 And this means that the password reset mechanism breaks entirely.
 WordPress attempts to store the new value in the database, but MySQL
 complains because it's trying to store 71 bytes in a varchar(60).

 But it still sends the email, and the user is left wondering why they
 can't reset their password.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33904>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list