[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Dec 19 15:32:00 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
Replying to [comment:47 ryan]:
> Since the sk is used in the cookie only as a salt for hash_hmac(), how
easy is it to brute force?
It is exactly as easy as the entropy of the password. The vulnerability is
that by including it into the hash you're turning an online attack against
the database into an easily parallelizable offline attack. If the database
password is large, e.g. 128 bits of random data, then the attack won't
work, it is small, it will.
Users might not realize this additional requirement that is now being
placed on the database password. It would be reasonable to expect that a 8
character password would be secure (41 bits of entropy) and against an
online attack it probably is. Users who make this assumption, not
realizing where else it is used, are at risk of an offline attack, for
which 41 bits is trivial.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:60>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list