[wp-hackers] Password Handling Improvements - Trac Ticket #2870

Callum Macdonald lists.automattic.com at callum-macdonald.com
Tue Sep 25 21:36:07 GMT 2007

I think generating passwords automatically is a good idea. I think 
overall, it will lead to a net gain in security. I'd support lengthening 
the password though, and definitely changing the algorithm that builds 
them. I notice there's a lot of numbers in them (I set up a lot of wp 
installs on a dev server).

I'd also be in favour of storing the passwords differently, adding a 
unique salt value with each user and storing the md5 of the password 
plus the salt. That would protect user accounts from rainbow attacks. 
Anyone else think it's worth the effort?

Cheers - Callum.

David Weitz wrote:
> I'm referring to this: http://trac.wordpress.org/ticket/2870
> I would have to make a new patch if we were to decide to put it in 
> 2.4, but I just wanted to see what other people think.
> I know people probably don't create as secure passwords at the system 
> does, but they're going to change it to what they want and it will be 
> easier to just allow them, if they want, to make their own when they 
> create a new installation. I say that we can take the middle ground of 
> having a checkbox that can be checked if you would rather have WP 
> create a password. If the user wants to create his own, it would have 
> a password and confirm password box.
> Any other ideas?
> -- 
> Dave
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list