[wp-trac] Re: [WordPress Trac] #3604: wp-admin Password Encryption
via JavaScript
WordPress Trac
wp-trac at lists.automattic.com
Sun Jan 6 15:39:34 GMT 2008
#3604: wp-admin Password Encryption via JavaScript
-------------------------------------------+--------------------------------
Reporter: robertaccettura | Owner: anonymous
Type: enhancement | Status: new
Priority: low | Milestone: 2.7
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: security, encrypt, tinfoilhat |
-------------------------------------------+--------------------------------
Comment (by kalgriffen):
Ok, here are my thoughts on how to implement this. The most secure
encryption, to my knowledge, uses public and private keys.
If we generate a public/private key pair when wordpress is installed, or
updated from a version that does not have a key pair, we can send the
public key to the user inside the login page. A simple javascript could
then encode the password using the public key and send it back to the
server when the user logs in. The password is then decoded on the server
side using the server's private key, and authenticated against the user's
password.
We would also need an additional value to be sent to the server from
within the form to indicate if the password has been encrypted (indicating
the user has javascript enabled), or that the password has not been
encrypted (indicating javascript is disabled).
Any thoughts on how strong a key we should use? I was thinking 128 or 256
bit, but we could easily use larger keys. Keep in mind that a longer key
will require more processing power, and time, during the install.
--
Ticket URL: <http://trac.wordpress.org/ticket/3604#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list