Support » Plugin: Login Security Solution » Remove password hash from email template

  • Resolved gplasky


    I think it would be useful to remove the password hash from the email template. Granted it is hashed, but if it were to fall into the wrong hands, I could see that being a problem. I.e. Person X gets the hash of person Y who accidentally typed their password wrong by 1 character. X takes the hash and runs it through a rainbow table until they come up with a matching hash for Y’s failed attempt, and then proceeds to modify the “correct” off-by-one password with various iterations in the hopes of finding the correct password for Y.

    The surface area allowed for this attack is very small considering LSS’ default policies, but I just don’t see any reason to expose this hash outside of WordPress. At the very least it would be nice to have this as a toggle-able option in the plugin config.

    Thanks (and feedback welcome)!

Viewing 1 replies (of 1 total)
  • Plugin Author Daniel Convissor



    The md5() call made by this plugin includes the AUTH_SALT, which comes from each install’s WP config file. Thus the hash can’t be reversed via rainbow tables.

    Thanks for making sure things are secure,


Viewing 1 replies (of 1 total)
  • The topic ‘Remove password hash from email template’ is closed to new replies.