Ryan Boren

Queer, neurodivergent, and disabled technologist turned wannabe-sociologist resisting neuronormative domination.

Secure Cookies and Passwords

WordPress 2.4 will feature a new format for authentication cookies and a new password hashing algorithm. Cookies will be based on the secure cookie protocol described here. The cookie is structured like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

The new cookie protocol will allow us to enforce expirations server-side, mass invalidate all cookies, and offer high-level confidentiality. Read the Liu paper for details on the protocol, and see ticket 5367 for details on our implementation of the protocol.

In conjunction with the new cookies, password hashing will be improved by moving to phpass. phpass provides password stretching and salting. These make brute-forcing your password hashes impractical should someone get access to your database. phpass is being considered for inclusion by Drupal and phpBB, which bodes well for integrators who want to auth all of these apps off of one user table. However, I’m not sure how well things like mod_auth_mysql play with the portable hashes generated by phpass. Anyone with experience there? While moving the code to phpass, we made password hashing completely pluggable should integrators need to switch to a different hash. Hopefully everything can place nice with phpass.

The new cookies and hashes are still under development but are available for testing by grabbing svn trunk. Don’t test on a production blog since reverting back to your previous version requires restoring your users table from backup to get your old password hashes back.

More Posts

Posts on Stimpunks

17 responses to “Secure Cookies and Passwords”

  1. Dhruva Sagar Avatar
    Dhruva Sagar

    This sounds very interesting, I would love to see it’s effects in action…It will definitely increase wordpress’ security.

    Reply
  2. Liquidmatrix Security Digest » Security Briefing: December 18th

    […] WordPress: Secure Cookies and Passwords […]

    Reply
  3. Cody Sortore Avatar
    Cody Sortore

    Very cool, definitely waiting for that update. I like the control over cookies, very convenient!

    Reply
  4. Wordpress 2.4 to use Secure Cookies and Passwords : bloginfosec.com

    […] Ryan Boren regarding WordPress version 2.4 security: The new cookie protocol will allow us to enforce […]

    Reply
  5. 20f1aeb7819d7858684c898d1e98c1bb at Holy Shmoly!

    […] Searching for the md5 hash was clever, but it won’t work for long because Ryan is working on securing the WordPress cookies and passwords. In case you’re wondering, the hacker got in […]

    Reply
  6. WordPress weekly digest 10th December to 16th December 2007 « westi on wordpress

    […] If you would like to read more about the new cookie format then Ryan has written an excellent post – “Secure Cookies and Passwords” […]

    Reply
  7. » WordPress weekly digest 10 dic – 16 dic 2007 » WordPress Italy

    […] ulteriori informazioni sul nuovo formato dei cookie si veda l’ottimo articolo di Ryan – “Secure Cookies and Passwords” (che verrà tradotto nei prossimi […]

    Reply
  8. links for 2007-12-21

    […] » Secure Cookies and Passwords boren.nu nuovo algoritmo di hashing delle password e nuovo formato dei cookies che verranno introdotti in wordpress 2.4 (tags: Blogs php security wordpress password) […]

    Reply
  9. Richy’s Random Ramblings / Coding: Password Security in Cookies

    […] boren.nu, I came across a nice detailed section on how to create a secure cookie and password system (which […]

    Reply
  10. » Cookie sicuri e password » WordPress Italy

    […] seguito la traduzione di un articolo di Ryan Boren su una delle principali novità di WP […]

    Reply
  11. Purposemakers – Website Design & Development, Strabane, Co. Tyrone, Northern Ireland.

    […] http://boren.nu/archives/2007/12/17/secure-cookies-and-passwords/ […]

    Reply
  12. Wordpress 2.3.2 released and Wordpress Version 2.5 (aka Wordpress 2.4) – Planned features | Bullroarer

    […] interface as I’m pretty happy with the current interface.  Password and cookies will also be handled differently in 2.4 2.5 so that server-side cookie expiration and generally make password and cookie handling more […]

    Reply
  13. ליאור שיאון – קיים משמע אני חושב. » Blog Archive » עידכון אבטחה בוורדפרס 2.4

    […] ראיין בורן כותב על זה כאן: » Secure Cookies and Passwords boren.nu […]

    Reply
  14. Episode 33: WordPress 2.3.2 released, WordPress 2.4 missed and changes to the podcast | PHP Podcasts

    […] Simple Thoughts details ways to harden your WordPress blog from attack, Ryan Boren discusses ways WordPress 2.5 will have a new format for authentication cookies and a new password hashing algorithm, there’s a plugin to secure your admin pages, Donncha O Caoimh details other ways to secure […]

    Reply
  15. » MD5 Password Hashes for 2.5 boren.nu

    […] Mar 27 2008 by Ryan WordPress 2.5 uses a new password hashing scheme. Plain-old MD5 hashes are no longer used. If you share your users table with other applications or […]

    Reply
  16. WordPress 2.5’s New Password Hashing Scheme | WordPress Philippines

    […] Boren tells us there’s a new password hashing scheme in WordPress 2.5 (along with a new format for cookie authentication). Why is this important for WordPress users with little knowledge about […]

    Reply
  17. 5-Finger-Blog von Hollii » WordPress Secret_Key

    […] genau die Konstante bedeutet, steht bei Ryan Boren. Für die, die des Englischen nicht mächtig sind, hab ich den Link mit Google-Translate […]

    Reply

Leave a Reply

Discover more from Ryan Boren

Subscribe now to keep reading and get access to the full archive.

Continue reading