[wp-hackers] Wordpress Cookie Authentication Vulnerability
Callum Macdonald
lists.automattic.com at callum-macdonald.com
Thu Nov 22 02:53:19 GMT 2007
Re salting passwords after an attack is only viable if you know you've
been attacked. I'm guessing it wouldn't be used by 99% of WP users. It
might make an interesting plugin though...
We're not using salts currently, just straight md5s. I believe md5 is
easier because of the PHP versions being supported, etc. However, a
uniquely salted md5 is still pretty secure, and would be a major step
forward from where we are today.
I'd suggest the biggest risk today is not that people hack WordPress
(ultimately, it's not that big a deal) but that if somebody gets hold of
your db, they then guess that most of your users use the same password
for all sites, and proceed to go wreak havoc on users all over the place.
+1 for salting the hashes using md5...
C.
Computer Guru wrote:
> Honestly, I'm surprised WP hasn't done that already... But that does not
> address the main issue here (which should NEVER occur if you take care of
> your stuff... *assuming* wp doesn't have any exploits) and that is how to
> maintain user password integrity after being hacked.
>
> (Oh, and if we're going with a SALT, we had damn-well better not use MD5...)
>
>
> On 11/22/07, Callum Macdonald <lists.automattic.com at callum-macdonald.com>
> wrote:
>
>> I think it would be a significant improvement to store each password
>> with a randomly generated salt. I think using a random salt based on the
>> current microtime would be sufficient.
>>
>> This would negate md5 rainbow attacks in reversing passwords from the
>> database. Plus, it's relatively easy to compute. It's a simple, elegant
>> solution.
>>
>> Cheers - Callum.
>>
>> Computer Guru wrote:
>>
>>> On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
>>>
>>>
>>>> Manually picking and having to change a salt often is major pain in the
>>>> ass
>>>> and something the average user won't do.
>>>>
>>>> Better to have it be automated if you ask me.
>>>>
>>>>
>>>>
>>> That's not exactly difficult though, :-D
>>>
>>> A big red button "I've been hacked!"
>>> Clicky-the-button:
>>> WP adds a new column, randomly generated salt (salt1, salt2, salt3).
>>> WP re-creates password hashes: password_hash = md5(currenthash .
>>> md5(latestsalt))
>>> WP updates login routine from password_hash = md5(password . md5(salt1)
>>>
>> to
>>
>>> password_hash = md5( md5(password . md5(salt1) . md5(salt2) )
>>>
>>> It's excellent in principle IMHO... but it can quickly get out of hand
>>>
>> :-(
>>
>>> Besides the time it takes to perform 4 md5 calculations verses the
>>>
>> original
>>
>>> (and if you get hacked again, it would be 8!), it's too hackish for my
>>> liking.
>>>
>>> So yeah, it would be great for when Digg gets hacked, krose can just add
>>>
>> a
>>
>>> second salt be done with it. But I don't think (even though this was my
>>>
>> idea
>>
>>> :lol:) that this would work for a distributed package that we expect
>>>
>> people
>>
>>> to install who probably don't know what MD5 is in the first place.......
>>>
>>> Obviously the ideal solution would be to use reversible encryption
>>>
>> instead
>>
>>> of a MD5 hash. When the db gets hacked, reverse the encryption to obtain
>>> plain-text password, reset the SALT column to new random values, and
>>>
>> then
>>
>>> recreate the hash once more.
>>>
>>> Which brings me to yet another question:
>>> 1) Do you WANT to trust *ALL* the WP users out there to have a
>>>
>> REVERSIBLE
>>
>>> hash of user's passwords in the DB? Sure, they can easily modify the
>>>
>> current
>>
>>> code to log passwords before hashing them, but that takes some hacking
>>> talent - and hackers have their own code of ethics to adhere to ;)
>>>
>>> Seriously though, if you present the password as a reversible
>>>
>> encryption,
>>
>>> you'll be giving script kiddies the time of their life. But it DOES
>>>
>> solve
>>
>>> the problem.....
>>> 2) Are there any *uncracked* encryption libraries for PHP out there?
>>>
>>>
>>>
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>
>
>
>
More information about the wp-hackers
mailing list