[wp-hackers] Client side password encryption

DD32 wordpress at dd32.id.au
Sun Mar 16 09:36:57 GMT 2008


On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper at viper007bond.com> wrote:

> So I've been playing around with
> http://wordpress.org/extend/plugins/semisecure-login/
..
> Is it even possible? I can't think of a way to take the MD5 of the password
> and use it to check the password due to the salting. I can't MD5 the
> original password and compare it to the submitted hash as the original
> obviously isn't stored anywhere.
>
> What about the upgrade method though? Does 2.5 migrate the old MD5 hashes to
> the new method or does it just leave them alone and only screw with the
> cookies?

When the user logs in, if the password hash is <= 32 char, then it creates a new hash for the user with a salt added in.

I dont think theres a secure method of client side password hashing now, it either has to be 2-way encryption so that the server can get the original password, Or you need to pass the salt back to the JS and implement phpass in javascript, neither of which you'd want to do.

You of course, could store another password in the database which is not salted, so that it allows you to login via passing a hashed password along, but its not of much use IMO


More information about the wp-hackers mailing list