Remove password hash from email template | ww.wp.xz.cn

Resolved gplasky
(@gplasky)

12 years, 10 months ago

I think it would be useful to remove the password hash from the email template. Granted it is hashed, but if it were to fall into the wrong hands, I could see that being a problem. I.e. Person X gets the hash of person Y who accidentally typed their password wrong by 1 character. X takes the hash and runs it through a rainbow table until they come up with a matching hash for Y’s failed attempt, and then proceeds to modify the “correct” off-by-one password with various iterations in the hopes of finding the correct password for Y.

The surface area allowed for this attack is very small considering LSS’ default policies, but I just don’t see any reason to expose this hash outside of WordPress. At the very least it would be nice to have this as a toggle-able option in the plugin config.

Thanks (and feedback welcome)!

http://ww.wp.xz.cn/plugins/login-security-solution/

Viewing 1 replies (of 1 total)

Plugin Author Daniel Convissor
(@convissor)

12 years, 4 months ago

Hi:

The md5() call made by this plugin includes the AUTH_SALT, which comes from each install’s WP config file. Thus the hash can’t be reversed via rainbow tables.

Thanks for making sure things are secure,

–Dan

Viewing 1 replies (of 1 total)

The topic ‘Remove password hash from email template’ is closed to new replies.

Tags

password

1 reply
2 participants
Last reply from: Daniel Convissor
Last activity: 12 years, 4 months ago
Status: resolved