[wp-hackers] Password Handling Improvements - Trac Ticket #2870
David Weitz
dabbaking at gmail.com
Tue Sep 25 22:08:30 GMT 2007
A salt would be a good idea. Maybe we can do like registration time +
sha1 of password?
Callum Macdonald wrote:
> I think generating passwords automatically is a good idea. I think
> overall, it will lead to a net gain in security. I'd support lengthening
> the password though, and definitely changing the algorithm that builds
> them. I notice there's a lot of numbers in them (I set up a lot of wp
> installs on a dev server).
>
> I'd also be in favour of storing the passwords differently, adding a
> unique salt value with each user and storing the md5 of the password
> plus the salt. That would protect user accounts from rainbow attacks.
> Anyone else think it's worth the effort?
>
> Cheers - Callum.
>
> David Weitz wrote:
>> I'm referring to this: http://trac.wordpress.org/ticket/2870
>>
>> I would have to make a new patch if we were to decide to put it in
>> 2.4, but I just wanted to see what other people think.
>>
>> I know people probably don't create as secure passwords at the system
>> does, but they're going to change it to what they want and it will be
>> easier to just allow them, if they want, to make their own when they
>> create a new installation. I say that we can take the middle ground of
>> having a checkbox that can be checked if you would rather have WP
>> create a password. If the user wants to create his own, it would have
>> a password and confirm password box.
>>
>> Any other ideas?
>>
>> --
>> Dave
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list