WordPress.org

Ready to get started?Download WordPress

Forums

security - passwordhash question. (3 posts)

  1. sandstrom
    Member
    Posted 8 years ago #

    As I have understood hashing a password (one way cryptation), which is used in wordpress, has a set number of possible hashes. Say 5000 different hashes.

    If I have understood this correctly (which I may not) isn't this a security risk? if anyone bruteforce the admin account, after 5000 tries they could have put in a some word that generates exactly the same hash as the adminpassword, and therefore be granted access.

    /alexander

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Where do you get this figure of 5000 ?

    The default password is 6 characters, each of which can be a-z + 0-9. That's 36 characters ? The first pw character can therefore be any 1 of 36, and so can the next 5.
    So (1*36)+(1*36)+(1*36)+(1*36)+(1*36)+(1*36)=2176782336 permutations (or thereabouts). Somewhat more than 5000.

    And that assumes that people like me don't go changing their passwords to random 16 characters.

    If someone wants to batter their way into my blog, I have no doubt at all that they can if they are determined enough. Security though is partly making what you have less attractive and more difficult than someone else.

  3. sandstrom
    Member
    Posted 8 years ago #

    5000 was taken out of the air, I think that value could be smaller or larger.

    as I have understood it the password is hashed using MD5, which has a total number of possible hashes. anything ran through the algoritm will output as any of the hashes, but 5000 might be terribly wrong, it could be 3,4028236692093846346337460743177e+38.

Topic Closed

This topic has been closed to new replies.

About this Topic