Post password stored as plaintext

[ericmann]

When a user specifies a password for a protected post it's stored as plaintext in the database. Considering the rate at which people recycle personal passwords, does this open a user's site to potential security risks?

While not necessarily our responsibility, this would raise issues if they use the same password for a login and for their protected posts.

I see no harm in doing at least a simple md5() on the password. (It shouldn't be the same hashing function used for user passwords)

As suggested for private posts in #11695, it might be nice to move password stuff into a "canonical" plugin. Currently it's pretty hacky.

Or better, I should link to #11697

Perhaps we can block post passwords if when hashed it is the same as their user password...

Replying to nacin:

Perhaps we can block post passwords if when hashed it is the same as their user password...

That would be an excellent short-term solution that would increase security (protect users from themselves, really). But I'm still somewhat uncomfortable storing anything that resembles a password in plaintext.

It's something that is designed to be shared, so storing it hashed is pretty much a no-go. People will need to refer to it, change it, etc. There is a reason why we store it in a type=text field, rather than type=password. That alone should probably scare most people away from entering a full password.

Perhaps calling it something other than a "password" would also help, but that ship has sailed.

Replying to nacin:

It's something that is designed to be shared, so storing it hashed is pretty much a no-go.

Good point.

Perhaps calling it something other than a "password" would also help, but that ship has sailed.

Perhaps we could rename it in a future release? It won't be the first time we've renamed a feature. (Admin bar => toolbar)