Login Security Solution
[resolved] Remove password hash from email template (2 posts)

  1. gplasky
    Posted 2 years ago #

    I think it would be useful to remove the password hash from the email template. Granted it is hashed, but if it were to fall into the wrong hands, I could see that being a problem. I.e. Person X gets the hash of person Y who accidentally typed their password wrong by 1 character. X takes the hash and runs it through a rainbow table until they come up with a matching hash for Y's failed attempt, and then proceeds to modify the "correct" off-by-one password with various iterations in the hopes of finding the correct password for Y.

    The surface area allowed for this attack is very small considering LSS' default policies, but I just don't see any reason to expose this hash outside of WordPress. At the very least it would be nice to have this as a toggle-able option in the plugin config.

    Thanks (and feedback welcome)!


  2. Daniel Convissor
    Plugin Author

    Posted 2 years ago #


    The md5() call made by this plugin includes the AUTH_SALT, which comes from each install's WP config file. Thus the hash can't be reversed via rainbow tables.

    Thanks for making sure things are secure,


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic