WordPress passwords, password reset – insecure key length

You’ve probably already noticed how the default WordPress passwords (those generated during install for the admin user) are too short. So you did change yours right after the installation, didn’t you?

Now bad news.

As the system security is always only as good as its weakest link, your well chosen long WordPress password (or was it passphrase?) is no better than the default one.

Apparently it only takes guessing a 32-bit key and an email address for the user in question – secret components of the reset link for WP – to reset a WordPress password into another 32-bit key, the length of the passwords generated by WordPress.

Of course 32 bits isn’t too bad, that’ll take 136 years to try by brute-force all the key space assuming 1 second per try (which is not unreasonable in the web realm). But anyway wouldn’t it be just a little bit more soothing to have all those keys/passwords say 64 bit long?

1 Star2 Stars3 Stars4 Stars5 Stars


Leave a Reply

Your email address will not be published.