[wp-hackers] Client side password encryption

Viper007Bond viper at viper007bond.com
Sun Mar 16 09:27:12 GMT 2008


So I've been playing around with
http://wordpress.org/extend/plugins/semisecure-login/

It's a nice half way point for people like me who don't have and don't want
to mess with SSL. It MD5's the password field before submitting and then
checks it against the MD5'ed version of the password in the database. Works
great in 2.3.x.

However, with phpass now being used (i.e. salted passwords), I thought I'd
update it for my own personal uses (and maybe a release) in time for WP 2.5.
Easier said than done it's turning out to be.

Is it even possible? I can't think of a way to take the MD5 of the password
and use it to check the password due to the salting. I can't MD5 the
original password and compare it to the submitted hash as the original
obviously isn't stored anywhere.

What about the upgrade method though? Does 2.5 migrate the old MD5 hashes to
the new method or does it just leave them alone and only screw with the
cookies?

Ideas needed, assuming it's actually possible. I'm a bit inexperienced with
some of the new features.

-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list