[wp-trac] Re: [WordPress Trac] #2394: Passwords are stored in an insecure un-salted form

WordPress Trac wp-trac at lists.automattic.com
Fri Jun 29 13:17:16 GMT 2007


#2394: Passwords are stored in an insecure un-salted form
-----------------------+----------------------------------------------------
 Reporter:  sjmurdoch  |        Owner:  pishmishy   
     Type:  defect     |       Status:  assigned    
 Priority:  normal     |    Milestone:  2.4 (future)
Component:  Security   |      Version:  2.0         
 Severity:  normal     |   Resolution:              
 Keywords:  has-patch  |  
-----------------------+----------------------------------------------------
Comment (by pishmishy):

 Replying to [comment:13 Otto42]:

 > Password recovered is accomplished by generating a new random password
 and emailing that to the user. And yes, it uses an MD5 of the new random
 password in the database.

 It's also used in to generate the occurrence of c6d0fbc7 in /wp-
 login.php?action=rp&key=c6d0fbc7 (for example).

 > I fail to understand your point. Yes, those all use md5 for key
 generation, but none of that has anything to do with user passwords.

 If we decide that there are faster ways to generate an md5 hash than
 through md5() then would it not make sense to make the change across the
 code and not just where it's involved with passwords?

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2394#comment:14>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list