WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #21022, comment 8


Ignore:
Timestamp:
10/28/12 09:24:43 (3 years ago)
Author:
jammycakes
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21022, comment 8

    initial v1  
    1 IMO, bcrypt needs to be made the default, out of the box option. The idea that WordPress admins should have to go hunting for a plugin to do this scares me, simply because most of them won't unless (a) they are well versed in web security, (b) they know that WordPress uses a weak alternative by default, and (c) they consider it to be an issue worth worrying about. 
     1IMO, bcrypt needs to be made the default, out of the box option. The idea that WordPress admins should have to go hunting for a plugin or tweak configuration options to do this scares me, simply because most of them won't unless (a) they are well versed in web security, (b) they know that WordPress uses a weak alternative by default, and (c) they consider it to be an issue worth worrying about. 
    22 
    33People often underestimate the seriousness of MD5 and the SHA-* algorithms being "less secure." They aren't just less secure: thanks to developments in password cracking in the past few years using GPU- and FPGA- based software, they are '''totally useless.''' Programs such as oclHashCat even have an option specifically to crack passwords in WordPress databases -- and the rate at which they can do so is terrifying. If you're not making a strong password hashing algorithm the default, out of the box option, you're exposing your users to unacceptable and unnecessary risk.