[wp-hackers] Stronger default passwords

Mark Jaquith mark.wordpress at txfx.net
Wed Dec 22 03:16:54 UTC 2004

Why don't we just prompt the user for an admin password when we ask for 
email and blog name?  As it is, we give it to them, so it's not like 
there's really a security problem.  It'd sure save a lot of frustration 
for users who don't write down the admin password (yeah, me once). We 
could enforce minimum length or complexity if we wanted, too, if we 
wanted to make things more secure.

On Tue, 21 Dec 2004 10:01pm, Kitty wrote:
>>  Update of /cvsroot/cafelog/wordpress
>>  Modified Files:
>>          wp-login.php
>>  Log Message:
>>  Make reset passwords use the same randomness we do in install.php. Hat
>>  tip: swoolley.
> Maybe it's time to make the generated passwords a little longer? With
> all the PHP security news + phpBB cracks coming out/going around, it
> might be a good idea.
> I suggest 10 digits ala:
> $user_pass = substr(md5(uniqid(microtime())), 0, 10);
> Overkill?
> --
> Cheers,		     Blog: http://blog.mookitty.co.uk
> Kitty		     PC Repair: http://www.girltech.net
> 		     WP Plugins: http://mookitty.co.uk/devblog
> Support proactive security: http://www.openbsd.org/orders.html

More information about the hackers mailing list