[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 13 11:44:57 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
Replying to [comment:44 ryan]:
> If SECRET_KEY is not set to something unique, use the DB connect info in
the secret key? Good enough? Does that balance paranoia and practicality
well enough?
That sounds like a bad idea to me. The database password is too short to
resist an offline brute force/dictionary attack. If we use it in the
cookie, anyone could discover the password with a bit of work.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:45>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list