[wp-hackers] Password Handling Improvements - Trac Ticket #2870
dabbaking at gmail.com
Tue Sep 25 22:08:30 GMT 2007
A salt would be a good idea. Maybe we can do like registration time +
sha1 of password?
Callum Macdonald wrote:
> I think generating passwords automatically is a good idea. I think
> overall, it will lead to a net gain in security. I'd support lengthening
> the password though, and definitely changing the algorithm that builds
> them. I notice there's a lot of numbers in them (I set up a lot of wp
> installs on a dev server).
> I'd also be in favour of storing the passwords differently, adding a
> unique salt value with each user and storing the md5 of the password
> plus the salt. That would protect user accounts from rainbow attacks.
> Anyone else think it's worth the effort?
> Cheers - Callum.
> David Weitz wrote:
>> I'm referring to this: http://trac.wordpress.org/ticket/2870
>> I would have to make a new patch if we were to decide to put it in
>> 2.4, but I just wanted to see what other people think.
>> I know people probably don't create as secure passwords at the system
>> does, but they're going to change it to what they want and it will be
>> easier to just allow them, if they want, to make their own when they
>> create a new installation. I say that we can take the middle ground of
>> having a checkbox that can be checked if you would rather have WP
>> create a password. If the user wants to create his own, it would have
>> a password and confirm password box.
>> Any other ideas?
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers