[wp-hackers] Wordpress Cookie Authentication Vulnerability

Computer Guru computerguru at neosmart.net
Thu Nov 22 02:07:43 GMT 2007


On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
>
> Manually picking and having to change a salt often is major pain in the
> ass
> and something the average user won't do.
>
> Better to have it be automated if you ask me.
>
That's not exactly difficult though, :-D

A big red button "I've been hacked!"
Clicky-the-button:
WP adds a new column, randomly generated salt (salt1, salt2, salt3).
WP re-creates password hashes: password_hash = md5(currenthash .
md5(latestsalt))
WP updates login routine from password_hash = md5(password . md5(salt1) to
password_hash = md5( md5(password . md5(salt1) . md5(salt2) )

It's excellent in principle IMHO... but it can quickly get out of hand :-(

Besides the time it takes to perform 4 md5 calculations verses the original
(and if you get hacked again, it would be 8!), it's too hackish for my
liking.

So yeah, it would be great for when Digg gets hacked, krose can just add a
second salt be done with it. But I don't think (even though this was my idea
:lol:) that this would work for a distributed package that we expect people
to install who probably don't know what MD5 is in the first place.......

Obviously the ideal solution would be to use reversible encryption instead
of a MD5 hash. When the db gets hacked, reverse the encryption to obtain
plain-text password, reset the SALT column to new random values, and then
recreate the hash once more.

Which brings me to yet another question:
1) Do you WANT to trust *ALL* the WP users out there to have a REVERSIBLE
hash of user's passwords in the DB? Sure, they can easily modify the current
code to log passwords before hashing them, but that takes some hacking
talent - and hackers have their own code of ethics to adhere to ;)

Seriously though, if you present the password as a reversible encryption,
you'll be giving script kiddies the time of their life. But it DOES solve
the problem.....
2) Are there any *uncracked* encryption libraries for PHP out there?


-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/


More information about the wp-hackers mailing list