[wp-hackers] Password Handling Improvements - Trac Ticket #2870

Computer Guru computerguru at neosmart.net
Tue Sep 25 23:27:38 GMT 2007 

If you're not going to use SHA-512, then you MUST read this excellent article on the topic of correct storage procedures for passwords in databases by Jeff Atwood: http://www.codinghorror.com/blog/archives/000953.html

It's a must-read for anyone storing passwords or other sensitive info in the DB that you don't NEED to have the original value for.

Computer Guru
NeoSmart Technologies
http://neosmart.net/


> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Callum Macdonald
> Sent: Wednesday, September 26, 2007 12:36 AM
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Password Handling Improvements - Trac Ticket
> #2870
> 
> I think generating passwords automatically is a good idea. I think
> overall, it will lead to a net gain in security. I'd support
> lengthening
> the password though, and definitely changing the algorithm that builds
> them. I notice there's a lot of numbers in them (I set up a lot of wp
> installs on a dev server).
> 
> I'd also be in favour of storing the passwords differently, adding a
> unique salt value with each user and storing the md5 of the password
> plus the salt. That would protect user accounts from rainbow attacks.
> Anyone else think it's worth the effort?
> 
> Cheers - Callum.
> 
> David Weitz wrote:
> > I'm referring to this: http://trac.wordpress.org/ticket/2870
> >
> > I would have to make a new patch if we were to decide to put it in
> > 2.4, but I just wanted to see what other people think.
> >
> > I know people probably don't create as secure passwords at the system
> > does, but they're going to change it to what they want and it will be
> > easier to just allow them, if they want, to make their own when they
> > create a new installation. I say that we can take the middle ground
> of
> > having a checkbox that can be checked if you would rather have WP
> > create a password. If the user wants to create his own, it would have
> > a password and confirm password box.
> >
> > Any other ideas?
> >
> > --
> > Dave
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list