Improve default wp_salt()
|Reported by:||filosofo||Owned by:||ryan|
|Component:||Security||Keywords:||SECRET_KEY wp_salt security|
As pointed out here, if someone gets the salt from db and SECRET_KEY is default or blank, the password security is no better off than it was in 2.3.3.
My patch adds a md5 hash of the time wp-config.php was last modified and the database password, as a prefix to the secret key. Neither should be available just from obtaining a database dump, and particularly the time wp-config.php was last modified should be difficult to determine, so that should reduce the effectiveness of such an attack as described above.
Change History (13)
- Component changed from General to Security
- Owner changed from anonymous to ryan
- Priority changed from normal to low
- Severity changed from normal to minor