| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Wordpress Cookie Authentication Vulnerability
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 6:41 UTC (Tue) by lutchann (subscriber, #8872)In reply to: Wordpress Cookie Authentication Vulnerability by Ross
Parent article: Wordpress Cookie Authentication Vulnerability
That's true of pretty much any authentication system, except those based on asymmetric cryptography. Wordpress is far from unusual in storing password equivalents on disk. So unless Wordpress somehow encouraged making the user table accessible to attackers, I still don't see why this is a big deal.
(Log in to post comments)
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 9:15 UTC (Tue) by Ross (subscriber, #4065) [Link]
It's true that any encrypted password can be attacked offline if you have the hash, but if the passwords were properly salted, it would be much more expensive to crack them because an attacker couldn't build a pre-encrypted dictionary.
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 16:10 UTC (Tue) by drag (subscriber, #31333) [Link]
Ya.. Google around for 'Rainbow tables'. There are ones you can download for free and ones you can pay for. Just going out to pirate bay and doing a quick search I found downloads for MD5, SHA1, and NT Lan manager tables.
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 18:21 UTC (Tue) by Los__D (subscriber, #15263) [Link]
The main purpose of salts is to combat things like rainbow tables.
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 19:12 UTC (Tue) by jengelh (subscriber, #33263) [Link]
The main purpose of rainbow tables is to combat unsalted web apps ;-)