[wp-trac] [WordPress Trac] #51702: Warn of potentially poor/insecure password generation
WordPress Trac
noreply at wordpress.org
Tue Nov 3 20:28:34 UTC 2020
#51702: Warn of potentially poor/insecure password generation
-----------------------------+-----------------------------
Reporter: desrosj | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Site Health | Version:
Severity: normal | Keywords: 2nd-opinion
Focuses: |
-----------------------------+-----------------------------
`wp_generate_password()` is responsible for generating random strings for
many things in core. To name a few,
[https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-wp-
application-passwords.php?rev=49490#L49 Application Passwords],
[https://core.trac.wordpress.org/browser/trunk/src/wp-admin/setup-
config.php?rev=49490#L324 Core salts] (as a fallback),
[https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes
/privacy-tools.php?rev=49490#L335 random file names] (Privacy), default
user passwords, and more. Each scenario passes the length of the desired
generated string, and whether to include 2 different sets of special
characters.
In addition to being fully pluggable, there is a `random_password` filter
within `wp_generate_password()` that can alter the result of the generated
password. The `$length` field should always be respected and
`wp_generate_password()` should never return a string shorter than
requested. If this does happen, the user should be made aware that
potentially insecure strings are being generated so that they can attempt
to fix this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51702>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list