[wp-trac] [WordPress Trac] #5401: Strengthen password generation,
and make generation function pluggable
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 29 15:40:26 GMT 2007
#5401: Strengthen password generation, and make generation function pluggable
-------------------------+--------------------------------------------------
Reporter: pishmishy | Owner: anonymous
Type: enhancement | Status: new
Priority: normal | Milestone: 2.5
Component: Security | Version:
Severity: normal | Keywords: password pluggable has-patch
-------------------------+--------------------------------------------------
Password generation currently uses code such as
{{{substr(md5(uniqid(microtime())), 0, 6)}}};
to generate passwords. This does produce a random string but the output is
a hexadecimal representation of a number. This only features numbers and
the characters "abcdef" reducing the search space of a six letter password
over 3,000 times.
16^6^ = 16777216 possible passwords
62^6^ = 56800235584 possible passwords
I've written a function that draws a random string from this larger set of
characters. In practise we may wish trim this a little so that users don't
confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable.
It replaces the old style code used in new installs, password resets, new
registrations and post-by-email passwords.
The attached patch also corrects some comments
--
Ticket URL: <http://trac.wordpress.org/ticket/5401>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list