Weak Password vulnerability in WordPress
Page 1 of 1
Weak Password vulnerability in WordPress
In WordPress 2.0.x (and in later versions, including potentially to 2.3.3) is a Weak Password vulnerability. To which my attention back in 2006, both started using WP.
Defoltnyy password during installation: 6 characters and a small alphabet (used for md5).
As the system uses the following algorithm for password generation:
$ Random_password = substr (md5 (uniqid (microtime ())), 0, 6);
Given that only 16 alphabet characters, and length - 6 characters, all possible combinations: 16 ^ 6 = 16777216.
Given these conditions, and that the system is Abuse of Functionality vulnerabilitythat lets users select user names, and Brute Force sensitive, which allows you to choose passwords that can hold брутфорс attack on the site.
Selection of a password (at 10 queries per second):
Queries: 16777216.
Time: 1677721.6 seconds = 19.42 days.
In the version of WordPress 2.5 the situation better.
Used funkiya wp_generate_password. Defoltnyy password during installation: 7 and normal alphabet characters (62 characters). All possible combinations: 62 ^ 7 = 3521614606208.
Defoltnyy password during installation: 6 characters and a small alphabet (used for md5).
As the system uses the following algorithm for password generation:
$ Random_password = substr (md5 (uniqid (microtime ())), 0, 6);
Given that only 16 alphabet characters, and length - 6 characters, all possible combinations: 16 ^ 6 = 16777216.
Given these conditions, and that the system is Abuse of Functionality vulnerabilitythat lets users select user names, and Brute Force sensitive, which allows you to choose passwords that can hold брутфорс attack on the site.
Selection of a password (at 10 queries per second):
Queries: 16777216.
Time: 1677721.6 seconds = 19.42 days.
In the version of WordPress 2.5 the situation better.
Used funkiya wp_generate_password. Defoltnyy password during installation: 7 and normal alphabet characters (62 characters). All possible combinations: 62 ^ 7 = 3521614606208.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» WordPress 2.8.3 Remote admin reset password
» How I’d Hack Your Weak Passwords (lifehacker)
» Get Any Body gmail password
» How can I access A admin Password?
» HOW TO GET WINDOWS ADMINISTRATOR PASSWORD
» How I’d Hack Your Weak Passwords (lifehacker)
» Get Any Body gmail password
» How can I access A admin Password?
» HOW TO GET WINDOWS ADMINISTRATOR PASSWORD
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum