[wp-hackers] Wordpress Cookie Authentication Vulnerability

Computer Guru computerguru at neosmart.net
Thu Nov 22 02:40:32 GMT 2007


Honestly, I'm surprised WP hasn't done that already... But that does not
address the main issue here (which should NEVER occur if you take care of
your stuff... *assuming* wp doesn't have any exploits) and that is how to
maintain user password integrity after being hacked.

(Oh, and if we're going with a SALT, we had damn-well better not use MD5...)


On 11/22/07, Callum Macdonald <lists.automattic.com at callum-macdonald.com>
wrote:
>
> I think it would be a significant improvement to store each password
> with a randomly generated salt. I think using a random salt based on the
> current microtime would be sufficient.
>
> This would negate md5 rainbow attacks in reversing passwords from the
> database. Plus, it's relatively easy to compute. It's a simple, elegant
> solution.
>
> Cheers - Callum.
>
> Computer Guru wrote:
> > On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
> >
> >> Manually picking and having to change a salt often is major pain in the
> >> ass
> >> and something the average user won't do.
> >>
> >> Better to have it be automated if you ask me.
> >>
> >>
> > That's not exactly difficult though, :-D
> >
> > A big red button "I've been hacked!"
> > Clicky-the-button:
> > WP adds a new column, randomly generated salt (salt1, salt2, salt3).
> > WP re-creates password hashes: password_hash = md5(currenthash .
> > md5(latestsalt))
> > WP updates login routine from password_hash = md5(password . md5(salt1)
> to
> > password_hash = md5( md5(password . md5(salt1) . md5(salt2) )
> >
> > It's excellent in principle IMHO... but it can quickly get out of hand
> :-(
> >
> > Besides the time it takes to perform 4 md5 calculations verses the
> original
> > (and if you get hacked again, it would be 8!), it's too hackish for my
> > liking.
> >
> > So yeah, it would be great for when Digg gets hacked, krose can just add
> a
> > second salt be done with it. But I don't think (even though this was my
> idea
> > :lol:) that this would work for a distributed package that we expect
> people
> > to install who probably don't know what MD5 is in the first place.......
> >
> > Obviously the ideal solution would be to use reversible encryption
> instead
> > of a MD5 hash. When the db gets hacked, reverse the encryption to obtain
> > plain-text password, reset the SALT column to new random values, and
> then
> > recreate the hash once more.
> >
> > Which brings me to yet another question:
> > 1) Do you WANT to trust *ALL* the WP users out there to have a
> REVERSIBLE
> > hash of user's passwords in the DB? Sure, they can easily modify the
> current
> > code to log passwords before hashing them, but that takes some hacking
> > talent - and hackers have their own code of ethics to adhere to ;)
> >
> > Seriously though, if you present the password as a reversible
> encryption,
> > you'll be giving script kiddies the time of their life. But it DOES
> solve
> > the problem.....
> > 2) Are there any *uncracked* encryption libraries for PHP out there?
> >
> >
> >
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/


More information about the wp-hackers mailing list