[patch] The extension mechanisms related to hashing and storing passwords could be improved
|Reported by:||monperrus||Owned by:|
I've just written a plugin which allows storing passwords in a way that is compatible with HTTP digest (see http://www.monperrus.net/martin/wp-http-digest). The advantages of this approach is that it enables me to build services using HTTP digest authentication on top of standard wordpress accounts.
The hash of HTTP digest passwords is md5(username:realm:password). Since it requires the username, overriding wp_hash_password($password) is not enough.
Eventually, I had to override:
- wp_check_password to concatenate username:realm:password
- wp_set_password to correctly update the password
- wp_new_user_notification to intercept newly created passwords
- add_action('profile_update', 'action_profile_update' ); to intercept updated passwords.
The last two changes are somehow hacks, if wp_insert_user and wp_update_user would use wp_set_password instead of wp_hash_password directly, I would only have to override wp_check_password and wp_set_password, and it would be fine.
Thus, I suggest to add a call to wp_set_password in wp_insert_user.
Change History (8)
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
in reply to:
5 years ago
- Cc monperrus added
- Summary changed from The extension mechanisms related to hashing and storing passwords could be improved to [patch] The extension mechanisms related to hashing and storing passwords could be improved