Secure Cookies and Passwords

WordPress 2.4 will feature a new format for authentication cookies and a new password hashing algorithm. Cookies will be based on the secure cookie protocol described here. The cookie is structured like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

The new cookie protocol will allow us to enforce expirations server-side, mass invalidate all cookies, and offer high-level confidentiality. Read the Liu paper for details on the protocol, and see ticket 5367 for details on our implementation of the protocol.

In conjunction with the new cookies, password hashing will be improved by moving to phpass. phpass provides password stretching and salting. These make brute-forcing your password hashes impractical should someone get access to your database. phpass is being considered for inclusion by Drupal and phpBB, which bodes well for integrators who want to auth all of these apps off of one user table. However, I’m not sure how well things like mod_auth_mysql play with the portable hashes generated by phpass. Anyone with experience there? While moving the code to phpass, we made password hashing completely pluggable should integrators need to switch to a different hash. Hopefully everything can place nice with phpass.

The new cookies and hashes are still under development but are available for testing by grabbing svn trunk. Don’t test on a production blog since reverting back to your previous version requires restoring your users table from backup to get your old password hashes back.