WordPress.org

Forums

Login Security Solution
[resolved] Remove password hash from email template (2 posts)

  1. gplasky
    Member
    Posted 1 year ago #

    I think it would be useful to remove the password hash from the email template. Granted it is hashed, but if it were to fall into the wrong hands, I could see that being a problem. I.e. Person X gets the hash of person Y who accidentally typed their password wrong by 1 character. X takes the hash and runs it through a rainbow table until they come up with a matching hash for Y's failed attempt, and then proceeds to modify the "correct" off-by-one password with various iterations in the hopes of finding the correct password for Y.

    The surface area allowed for this attack is very small considering LSS' default policies, but I just don't see any reason to expose this hash outside of WordPress. At the very least it would be nice to have this as a toggle-able option in the plugin config.

    Thanks (and feedback welcome)!

    http://wordpress.org/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi:

    The md5() call made by this plugin includes the AUTH_SALT, which comes from each install's WP config file. Thus the hash can't be reversed via rainbow tables.

    Thanks for making sure things are secure,

    --Dan

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags