[wp-trac] [WordPress Trac] #17830: The extension mechanisms related to hashing and storing passwords could be improved
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 17 18:18:08 UTC 2011
#17830: The extension mechanisms related to hashing and storing passwords could be
improved
-------------------------+-----------------------------
Reporter: monperrus | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
-------------------------+-----------------------------
Hi,
I've just written a plugin which allows storing passwords in a way that is
compatible with HTTP digest (see http://www.monperrus.net/martin/wp-http-
digest). The advantages of this approach is that it enables me to build
services using HTTP digest authentication on top of standard wordpress
accounts.
The hash of HTTP digest passwords is md5(username:realm:password). Since
it requires the username, overriding wp_hash_password($password) is not
enough.
Eventually, I had to override:
- wp_check_password to concatenate username:realm:password
- wp_set_password to correctly update the password
- wp_new_user_notification to intercept newly created passwords
- add_action('profile_update', 'action_profile_update' ); to intercept
updated passwords.
The last two changes are somehow hacks, if wp_insert_user and
wp_update_user would use wp_set_password instead of wp_hash_password
directly, I would only have to override wp_check_password and
wp_set_password, and it would be fine.
Thus, I suggest to add a call to wp_set_password in wp_insert_user.
Regards,
--Martin
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17830>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list