[wp-hackers] Wordpress Cookie Authentication Vulnerability

Callum Macdonald lists.automattic.com at callum-macdonald.com
Thu Nov 22 02:36:00 GMT 2007


I think it would be a significant improvement to store each password 
with a randomly generated salt. I think using a random salt based on the 
current microtime would be sufficient.

This would negate md5 rainbow attacks in reversing passwords from the 
database. Plus, it's relatively easy to compute. It's a simple, elegant 
solution.

Cheers - Callum.

Computer Guru wrote:
> On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
>   
>> Manually picking and having to change a salt often is major pain in the
>> ass
>> and something the average user won't do.
>>
>> Better to have it be automated if you ask me.
>>
>>     
> That's not exactly difficult though, :-D
>
> A big red button "I've been hacked!"
> Clicky-the-button:
> WP adds a new column, randomly generated salt (salt1, salt2, salt3).
> WP re-creates password hashes: password_hash = md5(currenthash .
> md5(latestsalt))
> WP updates login routine from password_hash = md5(password . md5(salt1) to
> password_hash = md5( md5(password . md5(salt1) . md5(salt2) )
>
> It's excellent in principle IMHO... but it can quickly get out of hand :-(
>
> Besides the time it takes to perform 4 md5 calculations verses the original
> (and if you get hacked again, it would be 8!), it's too hackish for my
> liking.
>
> So yeah, it would be great for when Digg gets hacked, krose can just add a
> second salt be done with it. But I don't think (even though this was my idea
> :lol:) that this would work for a distributed package that we expect people
> to install who probably don't know what MD5 is in the first place.......
>
> Obviously the ideal solution would be to use reversible encryption instead
> of a MD5 hash. When the db gets hacked, reverse the encryption to obtain
> plain-text password, reset the SALT column to new random values, and then
> recreate the hash once more.
>
> Which brings me to yet another question:
> 1) Do you WANT to trust *ALL* the WP users out there to have a REVERSIBLE
> hash of user's passwords in the DB? Sure, they can easily modify the current
> code to log passwords before hashing them, but that takes some hacking
> talent - and hackers have their own code of ethics to adhere to ;)
>
> Seriously though, if you present the password as a reversible encryption,
> you'll be giving script kiddies the time of their life. But it DOES solve
> the problem.....
> 2) Are there any *uncracked* encryption libraries for PHP out there?
>
>
>   



More information about the wp-hackers mailing list