I've just downloaded and installed Word Press 1.01 on my local machine and it works quite well. However, I forgot the admin password so I logged into my MySQL console to change it. I was shocked to discover that the passwords were all stored in plaintext - i.e. with no encryption whatsoever.
Why on earth aren't passwords encrypted/hashed using md5 (functionality for this is built into both PHP and MySQL!)? It's crazy to have passwords in any two-way encryption form if all you're doing is checking to see whether the user has entered the correct value.
Passwords stored in plaintext?!? (8 posts)
-
Anonymous
Posted 8 years ago # -
Lester Chan
Posted 8 years ago #for 1.1 it is encrypted.
-
Nick Momrik
Posted 8 years ago #In the latest nightly builds encrypted passwords have been implemented.
-
Posted 8 years ago #When is 1.1 going to be available though? I'm not using a system that can't even protect passwords properly.
-
Ryan Boren
Posted 8 years ago #The nightly builds have been quite stable. Give one a try. Once it is installed, make sure you run upgrade.php in order to update the database with the MD5 hashes.
-
Posted 8 years ago #Stable? It won't even let me change my password:
"ERROR: you typed your new password only once. Go back to type it twice."
There is only one box to type it in... -
Matt Mullenweg
Posted 8 years ago #There are two boxes right next to each other on your profile page. These should probably be on seperate lines because people often miss one.
-
Posted 8 years ago #There aren't two boxes next to each other when I tried it...
Topic Closed
This topic has been closed to new replies.
