[wp-hackers] The security week? :)
Otto
otto at ottodestruct.com
Thu Apr 17 14:06:04 GMT 2008
On Thu, Apr 17, 2008 at 8:52 AM, Alexander Beutl <xel at netgra.de> wrote:
> second: Why the hack is the only thing I need to do after changing
> SECRET_KEY logging in? I understand that what was saved in my cookie doesn't
> validate anymore. I do not understand why I do not have to let the pass be
> send via mail like I think you indicated with this:
The SECRET_KEY is used for the cookie hash, not for the password
hashing. Password hashing is done by the phpass class. The cookie hash
is MD5 of username + expiration + secret key + salt value.
More information about the wp-hackers
mailing list