Changes between Version 1 and Version 2 of Ticket #50510, comment 4
- Timestamp:
- 06/24/2021 07:14:46 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #50510, comment 4
v1 v2 3 3 The benefits of these changes are: 4 4 * Uses the sha512/sha256 hashing algorithm for increased nonce length and performance improvements with longer nonce actions. Longer actions prevent brute forcing of the nonce for known action names. MD5 was the previous hashing algorithm used and is not secure enough for what nonces are being used for in WordPress. https://en.wikipedia.org/wiki/MD5#Security 5 * Adds complexity to the nonce has algorithm to make them more difficult to reverse engineer using rainbow tables.5 * Adds complexity to the nonce hash algorithm to make them more difficult to reverse engineer using rainbow tables. 6 6 * Adds a browser id to the nonce action to help prevent known hash reuse. 7 7 * Reject nonces from browsers with no or invalid user agent strings. This will prevent lazy bots from submitting requests.