[wp-hackers] New password encription

Jared Bangs jared at pacific22.com
Mon Apr 14 19:24:19 GMT 2008


On Mon, Apr 14, 2008 at 11:48 AM, Stefano Aglietti <steagl4ml at gmail.com>
wrote:

> WIth old method if i lost my password i can force it in the user table
> changin it an setting to cede it MD5.
>

If I remember the implementation details correctly, you could still use a
similar technique and replace the database value with one that has been
salted using the same secret key from another system that you do have access
to, if you wanted to do it that way. I wouldn't recommend it though, since
there are much easier solutions.

>
> With 2.5 this won't work anymore. You will say that I can always get
> new password by email and you are right. But anyone that have some
> expirience in sw assistance to end user knows that people do the worst
> things everytime in the worst way possibile.


> So sometime people come out on forum saying theyr 2 years blog updated
> to 2.5 was all ok bur ask for password and he didn't remeber it, and
> when installed he used a mail he do not use anymore or mistyped by
> mistake or purpose. Or maybe they will always had problem with email
> with that hosting etc etc.. so the solution to touch the database
> changine eamil to get a new one doens't wok too... I kknow sound
> fantascientific.. but i got people like that..
>

I'm not clear why the standard e-mail reset would not be a better option
than trying to overwrite the hashed password value. For one thing, it would
not require direct access to the database.

Even under the circumstances you describe (messages sent to the original
admin e-mail address are not accessible for some reason), you could always
change that e-mail address in the DB, since in your scenario mentioned above
you *do* have direct access to the database.

>
> I was wondering how solve this cases with new password codification
> cause you can't installa Ryan plugin to revert hasing method to pre
> 2.5 etc... any idea?
>

If you're saying that you couldn't install a plugin after the fact to let
you into the blog you're locked out of, that's correct, at least for the
sake of simplicity in this scenario. (Of course, if you have direct DB
access you could activate plugins without logging in if you knew what you
were doing, but we'll assume that is not viable in this case).

However, if you still really don't like the new password handling, I do
believe the whole process is pluggable, so you could theoretically change it
to work differently if you really felt you needed to. Just bear in mind that
these changes were made to address legitimate security concerns, and working
around them for the purposes you describe above is probably a bad idea.

- Jared


More information about the wp-hackers mailing list