[wp-hackers] The security week? :)

Otto otto at ottodestruct.com
Thu Apr 17 14:06:04 GMT 2008

On Thu, Apr 17, 2008 at 8:52 AM, Alexander Beutl <xel at netgra.de> wrote:
>  second: Why the hack is the only thing I need to do after changing
>  SECRET_KEY logging in? I understand that what was saved in my cookie doesn't
>  validate anymore. I do not understand why I do not have to let the pass be
>  send via mail like I think you indicated with this:

The SECRET_KEY is used for the cookie hash, not for the password
hashing. Password hashing is done by the phpass class. The cookie hash
is MD5 of username + expiration + secret key + salt value.

More information about the wp-hackers mailing list