[wp-hackers] The security week? :)

Mark Jaquith mark.wordpress at txfx.net
Wed Apr 16 19:16:01 GMT 2008 

On Apr 16, 2008, at 2:58 PM, Shelly at WordPress wrote:
> I didn't know what it was for though, but I figured it was for a  
> good reason, so I did it.  (It does say it's not necessary, though.)
>
> What *is* it for, anyway?

It is a hashing salt that is not readable through the database.  "And  
what is a salt?"  A salt is something that adds randomness to a hash  
input and makes it much harder to crack.  For example:

In these examples, consider that the password is "test", but that the  
cracker does not know this (indeed, this is what he's trying to  
determine).  And yes, I'm glossing over some stuff, but this is the  
simplistic explanation.

Easy to crack: md5('test');

Since 'test' is a short dictionary word, crackers who have the output  
hash can easily use rainbow tables (dictionary lookup table) to crack  
that password in seconds, or minutes.

Harder to crack: md5('test' . $known_salt);

In this case, the cracker has to generate a new rainbow table that  
adds the $known_salt value to their table's hashes.  This slows them  
down.

Even harder to crack: md5('test' . $unknown_salt);

In this case, they don't know the salt.  And since a good salt is  
something very random, like "888a7da62429ba6ad3cb3c76a09641fc" -- they  
can't use rainbow tables to help them.  They have to just "brute  
force" their way through all the possible combinations.  This is a  
huge hurdle.  Something that might take 10 minutes before could now  
take years.

On Apr 16, 2008, at 2:27 PM, Stefano Aglietti wrote:
> When 2.5 was realeasedI didn't se any advice about the NEED to make
> this secret key.


We have a couple options here:

1. Spread the word and encourage people to add it.
2. Have a "nag" in wp-admin that generates a random salt, prints the  
define('SECRET_KEY', $random_salt); line and tells you to add it to wp- 
config.php
3. Try to automatically add the SECRET_KEY define() to wp-config.php  
and fall back to #2 if we cannot.

#1 is going to result in very few people utilizing the feature.  #2 or  
#3 is probably the way to go.

--
Mark Jaquith • http://markjaquith.com/

More information about the wp-hackers mailing list