[wp-trac] Re: [WordPress Trac] #2394: Passwords are stored in an
insecure un-salted form
WordPress Trac
wp-trac at lists.automattic.com
Fri Nov 23 13:13:26 GMT 2007
#2394: Passwords are stored in an insecure un-salted form
--------------------------------------------------------------+-------------
Reporter: sjmurdoch | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.0
Severity: normal | Resolution:
Keywords: has-patch salt password md5 phpass needs-testing |
--------------------------------------------------------------+-------------
Changes (by pishmishy):
* keywords: needs-patch salt password md5 => has-patch salt password md5
phpass needs-testing
Comment:
I've attached a patch that achieves the same using phpass instead - it not
that different to how I was salting passwords. I've gone for the portable,
MD5 based hash it provides, leaving the option to switch to other hash
functions when they are more widely available.
I've tested the patch with old style passwords, a new installation, and a
new user and all appears to work as intended. Testing on Windows may be in
order - phpass appears to attempt a different source of random data in
that case.
--
Ticket URL: <http://trac.wordpress.org/ticket/2394#comment:19>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list