Obtaining the MD5 hash is not that difficult. A lot of shared hosts do
not protect the web roots of their users properly which makes it a
trivial task to obtain the contents of wp-config.php and connect to the
user's database and obtain the hash. Simply using word that are not a
part of any language will keep you safe against weaker cracking
attempts; however, a determined hacker can, and will make use of rainbow
tables which have hashes not only for dictionary words, but also huge
collections of random alphanumeric and special character strings.
So, IF the host is setup properly, IF the application is not vulnerable
to queries that can return the admin password hash and IF the hacker is
not determined enough to use a rainbow table to crack the hash, then
yes, it's nothing to worry about.
From what I understand, it's a relatively trivial matter to add a
"salt" function that would further protect the MD5 hash. I believe this
would be the best solution because the upgrade script could prompt the
user for a salt string and the hashes could be converted as part of the
upgrade process. Another option is generating the salt string
automatically and outputting it for the user to save in a safe place.
Bull3t wrote:
You need to know the MD5 hash of the password in the first place and even
then it is just luck of the draw, it really isn't that worrying. Just use a
password that isn't part of a language?
--------------------------------------------
Bull3t
http://www.bull3t.me.uk/
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:wp-testers-
[EMAIL PROTECTED] On Behalf Of Pål GD
Sent: 21 November 2007 13:45
To: [email protected]
Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
Cornell Finch wrote:
I know this probably isn't the right place to put this but I don't
know where else to submit it:
http://www.theregister.co.uk/2007/11/21/google_md5_crack/
Is this something we should be worried about?
Collin
Yes, indeed. Wordpress should have been doing salting[1], which I don't
think they do.
[1] http://en.wikipedia.org/wiki/Salting_(cryptography)
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
21/11/2007
10:01
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007
10:01
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
--
Best regards,
James Morris
PkbCS, LLC
[EMAIL PROTECTED]
http://pkbcs.com/
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
