[wp-hackers] Password Handling Improvements - Trac Ticket #2870
lists.automattic.com at callum-macdonald.com
Tue Sep 25 21:36:07 GMT 2007
I think generating passwords automatically is a good idea. I think
overall, it will lead to a net gain in security. I'd support lengthening
the password though, and definitely changing the algorithm that builds
them. I notice there's a lot of numbers in them (I set up a lot of wp
installs on a dev server).
I'd also be in favour of storing the passwords differently, adding a
unique salt value with each user and storing the md5 of the password
plus the salt. That would protect user accounts from rainbow attacks.
Anyone else think it's worth the effort?
Cheers - Callum.
David Weitz wrote:
> I'm referring to this: http://trac.wordpress.org/ticket/2870
> I would have to make a new patch if we were to decide to put it in
> 2.4, but I just wanted to see what other people think.
> I know people probably don't create as secure passwords at the system
> does, but they're going to change it to what they want and it will be
> easier to just allow them, if they want, to make their own when they
> create a new installation. I say that we can take the middle ground of
> having a checkbox that can be checked if you would rather have WP
> create a password. If the user wants to create his own, it would have
> a password and confirm password box.
> Any other ideas?
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers