[wp-trac] [WordPress Trac] #14803: Admins should be warned if authentication keys and salts have the default phrase
WordPress Trac
wp-trac at lists.automattic.com
Tue Sep 7 16:42:42 UTC 2010
#14803: Admins should be warned if authentication keys and salts have the default
phrase
-------------------------+--------------------------------------------------
Reporter: coffee2code | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords: has-patch
-------------------------+--------------------------------------------------
Comment(by Denis-de-Bernardy):
We could also use a unique salt per user and per session. And bcrypt (i.e.
blowfish) to hash passwords. And hmac to generate nonces. Instead of
trying to reinvent the wheel.
http://php.net/manual/en/function.crypt.php
http://php.net/manual/en/function.hash-hmac.php
PHP pass, which is included in WP, has the needed code for bcrypt.
hash_hmac becomes available with WP 3.2 assuming we target PHP 5.2.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14803#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list