[wp-hackers] Stronger default passwords
Mark Jaquith
mark.wordpress at txfx.net
Wed Dec 22 03:16:54 UTC 2004
Why don't we just prompt the user for an admin password when we ask for
email and blog name? As it is, we give it to them, so it's not like
there's really a security problem. It'd sure save a lot of frustration
for users who don't write down the admin password (yeah, me once). We
could enforce minimum length or complexity if we wanted, too, if we
wanted to make things more secure.
On Tue, 21 Dec 2004 10:01pm, Kitty wrote:
>> Update of /cvsroot/cafelog/wordpress
>>
>> Modified Files:
>> wp-login.php
>> Log Message:
>> Make reset passwords use the same randomness we do in install.php. Hat
>> tip: swoolley.
>
> Maybe it's time to make the generated passwords a little longer? With
> all the PHP security news + phpBB cracks coming out/going around, it
> might be a good idea.
>
> I suggest 10 digits ala:
> $user_pass = substr(md5(uniqid(microtime())), 0, 10);
>
> Overkill?
> --
> Cheers, Blog: http://blog.mookitty.co.uk
> Kitty PC Repair: http://www.girltech.net
> WP Plugins: http://mookitty.co.uk/devblog
> Support proactive security: http://www.openbsd.org/orders.html
More information about the hackers
mailing list