[wp-trac] [WordPress Trac] #6754: Improve default wp_salt()

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 16 19:04:30 GMT 2008


#6754: Improve default wp_salt()
----------------------+-----------------------------------------------------
 Reporter:  filosofo  |       Owner:  anonymous                  
     Type:  defect    |      Status:  new                        
 Priority:  normal    |   Milestone:  2.6                        
Component:  General   |     Version:                             
 Severity:  normal    |    Keywords:  SECRET_KEY wp_salt security
----------------------+-----------------------------------------------------
 As pointed out
 [http://www.securityfocus.com/archive/1/490887/30/0/threaded here], if
 someone gets the salt from db and SECRET_KEY is default or blank, the
 password security is no better off than it was in 2.3.3.

 My patch adds a md5 hash of the time wp-config.php was last modified and
 the database password, as a prefix to the secret key.  Neither should be
 available just from obtaining a database dump, and particularly the time
 wp-config.php was last modified should be difficult to determine, so that
 should reduce the effectiveness of such an attack as described above.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6754>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list