WordPress finally discovers salted passwords

WordPress 2.5 is out today and it looks mighty impressive. I’m going to wait a few days for reports of compatibility with the plugins I’m using before I upgrade, but after that, expect to see WordPress 2.5 on this blog soon.

Looking through the changes list, I did notice one odd thing. WordPress 2.5 finally adds salt to stored password hashes. It’s nearly inconceivable to me that WordPress went so long without salted passwords — it’s an incredibly important security technique that essentially has zero implementation cost. When I was helping to design the software infrastructure that powers Veropedia, I made sure that password hash salting was in our alpha. And yet it takes the fine folks over at WordPress until version 2.5 to implement it? Did they not realize how important it is to security?

Here’s why password salting is so important. The naive algorithm for storing login passwords in a database is to store them as plaintext. User tries to login, the inputted password is matched against the password field under their username in the database, and if it matches, the login is successful. The reason this is terrible security practice is because if the database is compromised (which is surprisingly easy to accomplish even remotely using SQL injection) the entire list of passwords can be revealed, compromising the entire site and everyone who is registered to use it.

So the next step in the evolution of login security (and this happened decades ago) was to use a one-way function called a hash function to store the password in the database. I won’t go into the details of how a hash function works, but the key point to know is that it is one way: given an input, you can quickly calculate the output, but given the output, you cannot calculate what the input was. So, now password hashes are stored in the database instead of the raw password, and when a user goes to log in, their input is hashed and compared against the value in the database. This is what WordPress used up until version 2.5.

There’s just one major flaw with this seemingly secure system. There are only a few widely-used hash algorithms, and they all necessarily run quickly on small inputs, so it’s trivial to pre-compute a huge list of potential passwords and their associated hash values. This is called a rainbow table, and larger rainbow tables have trillions of entries in them, pretty much guaranteeing a successful attack against less secure passwords (short ones, ones that don’t use numbers and punctuation, etc.). So we’re pretty much back to square one: database is compromised, the hashed passwords are compared with the rainbow table nearly instantaneously, and lots of accounts can be compromised.

That’s where salting comes in. Instead of just storing the hashed passwords, store the hash of the concatenation of the password and some unique value for each user account. This security measure makes pre-computed rainbow tables useless, effectively requiring a huge rainbow table to be constructed for each individual password to be cracked. The extra string that is added to the password before hashing is called the salt. The most commonly used salts are the user account number and the user account name. So whereas before HASH(password) was being stored in the database, now HASH(username . password) is stored (the period is the concatenation operator). It’s literally that simple to implement: add a few characters to one line of code in the web application for greatly enhanced security.

Thus, anyone writing any sort of software that processes logins should use password salting. It’s essentially instant to implement, and it provides huge security benefits. That’s why I’m astounded that it took WordPress five years and two major versions to finally implement it. Who knows how many thousands of sites have been compromised in the interim thanks to its absence? But still, better late than never.

11 Responses to “WordPress finally discovers salted passwords”

  1. Greg Maxwell Says:

    One angle you should have mentioned is that the lack of salted hashing makes database/server compromise especially *attractive*. It matters less that information theft from web-app databases is often easy and a lot more that a lack of solid salted hashing encourages people to try.

    Given the choice it is usually a lot less work to have nothing worth stealing than to have valuable things and need to protect them.

    … and it’s even important for low importance sites since many users will use the same password over and over again. You want your web-app using salted passwords so that bad guys don’t try to compromise your site to get your passwords just to try them on your user’s email or bank websites.

    All that said, web security is still pretty miserable. Even with the best salted password scheme available server compromise is still attractive because the server sees the cleartext password at login. An attacker could install some software to intercept the passwords as they come in… of course, thats usually a harder more active attack compared to simply reading the database.

    There is a solution to that problem called SRP or Secure Remote Password. SRP allows the user to prove his identity to the server, and the server to prove his identity to the user, with no risk of man-in-the-middle, and without storing anything more useful than a salted hashed password on the server.

    Unfortunately SRP is not widely implemented in internet protocols. There are patches against popular remote login, web server, and browser software but they have not been adopted in the mainline. Part of this is clearly due to the fear created by the fact that Standford has patented this bit of pure mathematics. (I find it interesting that the Wikipedia article makes no mention of the patent issues with SRP, I wonder if it was whitewashed out or if it was simply never in there…)

    All this is probably moot however, since only a tiny fraction of web logins are SSL encrypted. Anyone who can access the links between you and the non-SSL sites you visit can view your passwords trivially and there are often many people with those abilities. …. I’ve even heard that some less than completely ethical ISPs sell this kind information to organized crime just like many ISPs sell information about failed domain name lookups … but perhaps thats just rumors.

  2. William Says:

    Hey, Cyde, have you seen this?
    As a self-proclaimed member, I thought you ought to know.

  3. Cyde Weys Says:

    William: Yeah, I heard about it. I can’t say it particularly means much to me, as Anonymous is a Stand Alone Complex and thus no one controls its members.

    Obviously, I think that’s a terrible thing to do, and if it was actually done by the “Internet Hate Machine” (as opposed to Scientology trying to make them look bad), I really wish they hadn’t.

  4. drinian Says:

    Well, it seems like the mainstream media more or less ignored the 3/15 demonstrations anyway, so I guess it’s back to harassment of the weak for the *chan world.

  5. Cyde Weys Says:

    I’m kind of in a predicament here because when I originally wrote the blog post that hinted I considered myself part of “Anonymous”, I wasn’t yet aware of any of their pre-Scientology activities. I thought they had just formed spontaneously to oppose Scientology. Then I was informed in the blog comments that Anonymous had been around for a good while before then, but that their activities had been a lot more unsavory. So, yeah, it’s a silly situation. I think the new movement that’s opposing Scientology should pick a different name for themselves (“Suppressive Persons”?) and focus just on those activities. The epilepsy thing is really stupid.

  6. T2A` Says:

    Anon didn’t hack the epilespy site. Co$ did and blamed it on Anon for more bad press.

  7. Cyde Weys Says:

    T2A`: Except there really isn’t a way to know that. It could be Anonymous, unfortunately. That would be consistent with some of the things they were doing pre-Scientology.

  8. T2A` Says:

    It’s also consistent with the shady shit Co$ has done over the years.

  9. Cyde Weys Says:

    Thus there’s no way to say conclusively, as you did, that Scientology did it and blamed it on Anonymous. It could’ve been either one.

  10. drinian Says:

    Well, I would have to guess that the IP access logs on the message boards involved, both at 7chan and the epilepsy foundation, could shine some light on the situation. For instance:
    1) They used Tor and are untraceable.
    2) Lots of IPs near Clearwater, FL. (CoS).
    3) Distributed IPs throughout the English-speaking world, i.e. everywhere except Japan. (*channers).

  11. Muhammad Ali Says:

    I want to display registered user plain password, I tried but it displays encrypted password, I m writing a plugin, my plugin has form in which user cab registered , after registration i want to email the plain password but not the encrypted one. Help would be appreciated.