[wp-trac] Re: [WordPress Trac] #3604: wp-admin Password Encryption via JavaScript

WordPress Trac wp-trac at lists.automattic.com
Sun Jan 6 15:39:34 GMT 2008

#3604: wp-admin Password Encryption via JavaScript
 Reporter:  robertaccettura                |        Owner:  anonymous
     Type:  enhancement                    |       Status:  new      
 Priority:  low                            |    Milestone:  2.7      
Component:  Administration                 |      Version:           
 Severity:  normal                         |   Resolution:           
 Keywords:  security, encrypt, tinfoilhat  |  
Comment (by kalgriffen):

 Ok, here are my thoughts on how to implement this.  The most secure
 encryption, to my knowledge, uses public and private keys.

 If we generate a public/private key pair when wordpress is installed, or
 updated from a version that does not have a key pair, we can send the
 public key to the user inside the login page.  A simple javascript could
 then encode the password using the public key and send it back to the
 server when the user logs in.  The password is then decoded on the server
 side using the server's private key, and authenticated against the user's

 We would also need an additional value to be sent to the server from
 within the form to indicate if the password has been encrypted (indicating
 the user has javascript enabled), or that the password has not been
 encrypted (indicating javascript is disabled).

 Any thoughts on how strong a key we should use?  I was thinking 128 or 256
 bit, but we could easily use larger keys.  Keep in mind that a longer key
 will require more processing power, and time, during the install.

Ticket URL: <http://trac.wordpress.org/ticket/3604#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list