[wp-trac] [WordPress Trac] #21420: Login without salted MD5 Password
WordPress Trac
wp-trac at lists.automattic.com
Mon Jul 30 14:08:57 UTC 2012
#21420: Login without salted MD5 Password
--------------------------+-----------------------
Reporter: shubhamoy | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: General | Version: 3.4.1
Severity: normal | Resolution:
Keywords: close |
--------------------------+-----------------------
Changes (by nacin):
* keywords: needs-patch needs-testing => close
Comment:
While the original benefit of upgrading a straight md5 hash was the
rolling upgrade, it still has benefits now.
When people get locked out of their sites, they are often encouraged to
update their database manually with a query that could include
MD5(password).
They have direct database access ''anyway'', which means they could also
calculate the proper portable $P$B hash and update the database row to
this, but that also brings up the point that accepting a login against a
plain md5 hash cannot possibly be a vulnerability. If you have direct
access to the database, you can do anything you want. That we "update"
straight hashes to salted hashes is the one absolute must. Beyond that,
the only purpose of hashing is to ensure that a leaked DB does not expose
insecurely hashed passwords. Changing WordPress to no longer accept and
upgrade md5 hashes doesn't make us any more secure.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21420#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list