[wp-trac] [WordPress Trac] #33904: user_activation_key is too short causing password reset process to break when using bcrypt
WordPress Trac
noreply at wordpress.org
Wed Sep 16 20:18:31 UTC 2015
#33904: user_activation_key is too short causing password reset process to break
when using bcrypt
--------------------------+-----------------------------
Reporter: tomdxw | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 4.3
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
The field for storing the hash of the password reset token
(user_activation_key in wp_users) is a varchar(60).
In 4.3, WordPress very wisely started including a timestamp field in
user_activation_key. This poses no problem when using the default
"portable" hashing algorithm which takes up 34 bytes in string form.
The timestamp plus the colon plus the hash takes up just 45 bytes. Plenty
of space left over.
However, at my company we use a plugin which replaces the default
$wp_hasher instance with something that produces slightly harder-to-crack
hashes (i.e. bcrypt):
$wp_hasher = new PasswordHash(12, false);
bcrypt produces password hashes which are 60 bytes long. So the
timestamped hash would be 71 bytes long.
And this means that the password reset mechanism breaks entirely.
WordPress attempts to store the new value in the database, but MySQL
complains because it's trying to store 71 bytes in a varchar(60).
But it still sends the email, and the user is left wondering why they
can't reset their password.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33904>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list