[wp-trac] [WordPress Trac] #881: Lengthen password field for protected posts
WordPress Trac
noreply at wordpress.org
Wed Oct 21 20:48:23 UTC 2015
#881: Lengthen password field for protected posts
------------------------------------+-----------------------------
Reporter: ScytheBlade1 | Owner: pento
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future Release
Component: Database | Version:
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+-----------------------------
Comment (by adamsilverstein):
[attachment:881.diff] is an alternate approach, no database update
required:
* when storing the password, create an md5 of the password, truncating it
to 20 characters. This should still provide significant entropy for a
simple password (see
[https://gist.github.com/adamsilverstein/68a75983f38df4ef3b4c this gist])
and has to be more secure than storing plaintext passwords
* on the login side, I added a new hashed password cookie, retaining
backwards compatibility with plaintext passwords already stored in the
database
* remove the `maxlength` limit from the password entry field (note: the
quick edit edition of this field _never_ had this limit, and entering a
long password there currently fails)
* no longer display password in the post publish meta box. it was a bad
idea to begin with and since we are hashing the password, we can't display
it, thats why its secure.
Verified this all works locally with old and new passwords, some unit
tests would be great to help validate the approach.
Feedback welcome!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/881#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list