[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Fri Apr 21 23:12:49 GMT 2006

On 4/21/06, Denis de Bernardy <denis at semiologic.com> wrote:
> Note that "try all combinations" is not a realistic exercise.
> Usually password cracking is done with the help of dictionaries, which
> contain both regular words and various mutations of them.  So, even
> somewhat word-like passwords could be cracked much faster than the above
> numbers suggest, and a 6-character non-word like password may escape
> cracking.  Or not.

Still, all of this is irrelevant to the discussion, which has nothing
to do with cracking md5s or finding their collisions. Even if you did
want to use this approach to try to figure out someone's db pass,
you're almost guaranteed to have at least 12 characters (1 for user
ID, 5 for the variable time bit, and at least 6 for your MySQL
password (probably could be less, but realisitically, it rarely will
be)). To be blunt, its unrealisitic to think that someone could get
your nonce (this in itself would be a chore) and from there crack your
database password, and even if done, get access to your database
(which is more likely than not set up to only accept local connections
through a socket on most shared hosts).

We're working in an environment where speed is of the utmost
importance, switching to an algorithm which is twice as slow to do
these checks when navigating the admin will cost us majorly,
especially while we're supporting PHP 4.1.x, and 4.2.x and the
possibility of having to reimplement one of these hashing algorithms
in PHP. To put it bluntly, md5 is good enough for this purpose, to
argue its usefulness for passwords, please open a different thread,
and I'll agree with you wholeheartedly there.

--Robert Deaton

More information about the wp-hackers mailing list