[wp-hackers] The security week? :)
mark.wordpress at txfx.net
Wed Apr 16 19:16:01 GMT 2008
On Apr 16, 2008, at 2:58 PM, Shelly at WordPress wrote:
> I didn't know what it was for though, but I figured it was for a
> good reason, so I did it. (It does say it's not necessary, though.)
> What *is* it for, anyway?
It is a hashing salt that is not readable through the database. "And
what is a salt?" A salt is something that adds randomness to a hash
input and makes it much harder to crack. For example:
In these examples, consider that the password is "test", but that the
cracker does not know this (indeed, this is what he's trying to
determine). And yes, I'm glossing over some stuff, but this is the
Easy to crack: md5('test');
Since 'test' is a short dictionary word, crackers who have the output
hash can easily use rainbow tables (dictionary lookup table) to crack
that password in seconds, or minutes.
Harder to crack: md5('test' . $known_salt);
In this case, the cracker has to generate a new rainbow table that
adds the $known_salt value to their table's hashes. This slows them
Even harder to crack: md5('test' . $unknown_salt);
In this case, they don't know the salt. And since a good salt is
something very random, like "888a7da62429ba6ad3cb3c76a09641fc" -- they
can't use rainbow tables to help them. They have to just "brute
force" their way through all the possible combinations. This is a
huge hurdle. Something that might take 10 minutes before could now
On Apr 16, 2008, at 2:27 PM, Stefano Aglietti wrote:
> When 2.5 was realeasedI didn't se any advice about the NEED to make
> this secret key.
We have a couple options here:
1. Spread the word and encourage people to add it.
2. Have a "nag" in wp-admin that generates a random salt, prints the
define('SECRET_KEY', $random_salt); line and tells you to add it to wp-
3. Try to automatically add the SECRET_KEY define() to wp-config.php
and fall back to #2 if we cannot.
#1 is going to result in very few people utilizing the feature. #2 or
#3 is probably the way to go.
Mark Jaquith • http://markjaquith.com/
More information about the wp-hackers