[wp-trac] Re: [WordPress Trac] #2394: Passwords are stored in an
insecure un-salted form
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 29 13:17:16 GMT 2007
#2394: Passwords are stored in an insecure un-salted form
-----------------------+----------------------------------------------------
Reporter: sjmurdoch | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4 (future)
Component: Security | Version: 2.0
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by pishmishy):
Replying to [comment:13 Otto42]:
> Password recovered is accomplished by generating a new random password
and emailing that to the user. And yes, it uses an MD5 of the new random
password in the database.
It's also used in to generate the occurrence of c6d0fbc7 in /wp-
login.php?action=rp&key=c6d0fbc7 (for example).
> I fail to understand your point. Yes, those all use md5 for key
generation, but none of that has anything to do with user passwords.
If we decide that there are faster ways to generate an md5 hash than
through md5() then would it not make sense to make the change across the
code and not just where it's involved with passwords?
--
Ticket URL: <http://trac.wordpress.org/ticket/2394#comment:14>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list