[wp-hackers] Client side password encryption

DD32 wordpress at dd32.id.au
Sun Mar 16 10:40:24 GMT 2008


I dont think it used MD5 anymore at all, instead it uses a "portable hash".. whatever that is. I might be wrong though.

Might be best looking up the old trac ticket for the changes, and/or asking Ryan (I think he had his hands in with that lot?)

Good luck though :)

On Sun, 16 Mar 2008 20:43:55 +1100, Viper007Bond <viper at viper007bond.com> wrote:

> Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending
> the password plaintext via an unencrypted connection (like a public wifi or
> whatever).
>
> Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to a
> new salted one, I could salt the POST'ed MD5 hash and compare it to the one
> in the database, no?
>
> On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress at dd32.id.au> wrote:
>
>> On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper at viper007bond.com>
>> wrote:
>>
>> > So I've been playing around with
>> > http://wordpress.org/extend/plugins/semisecure-login/
>> ..
>> > Is it even possible? I can't think of a way to take the MD5 of the
>> password
>> > and use it to check the password due to the salting. I can't MD5 the
>> > original password and compare it to the submitted hash as the original
>> > obviously isn't stored anywhere.
>> >
>> > What about the upgrade method though? Does 2.5 migrate the old MD5
>> hashes to
>> > the new method or does it just leave them alone and only screw with the
>> > cookies?
>>
>> When the user logs in, if the password hash is <= 32 char, then it creates
>> a new hash for the user with a salt added in.
>>
>> I dont think theres a secure method of client side password hashing now,
>> it either has to be 2-way encryption so that the server can get the original
>> password, Or you need to pass the salt back to the JS and implement phpass
>> in javascript, neither of which you'd want to do.
>>
>> You of course, could store another password in the database which is not
>> salted, so that it allows you to login via passing a hashed password along,
>> but its not of much use IMO
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
>





More information about the wp-hackers mailing list