WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#5401 closed enhancement (fixed)

Strengthen password generation, and make generation function pluggable

Reported by: pishmishy Owned by: pishmishy
Milestone: 2.5 Priority: normal
Severity: normal Version:
Component: Security Keywords: password pluggable has-patch
Focuses: Cc:
PR Number:

Description

Password generation currently uses code such as

substr(md5(uniqid(microtime())), 0, 6);

to generate passwords. This does produce a random string but the output is a hexadecimal representation of a number. This only features numbers and the characters "abcdef" reducing the search space of a six letter password over 3,000 times.

166 = 16777216 possible passwords

626 = 56800235584 possible passwords

I've written a function that draws a random string from this larger set of characters. In practise we may wish trim this a little so that users don't confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable. It replaces the old style code used in new installs, password resets, new registrations and post-by-email passwords.

The attached patch also corrects some comments

Attachments (1)

password-generation.patch (4.3 KB) - added by pishmishy 12 years ago.
Strengthens password generation

Download all attachments as: .zip

Change History (4)

@pishmishy
12 years ago

Strengthens password generation

#1 @pishmishy
12 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

#2 @lloydbudd
12 years ago

  • Milestone changed from 2.5 to 2.4

#3 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6385]) Pluggable random password generator from pishmishy. fixes #5401

Note: See TracTickets for help on using tickets.