Re-hashing local accounts

  • Resolved Steve Cliff

    (@stevecliff)


    6 years, 11 months ago

    As part of a hacking attempt we need to re-hash the entries in the user table from the standard WordPress MD5 based has to a new Bcrypt hash.
    I can get this working on pure local accounts by simply logging in (as it upgrades the hash on-the-fly) however I’m struggling to find a way to update the wpDirAuth created entries.

    I could simply delete the account and let wpDirAuth re-create them – but obviously this would lose the link between any content created on the site and the user themselves.

    I’ve tried to disable the plugin and then log in using the credentials of the user – but this hasn’t worked either. My guess is that most users will have updated passwords in LDAP and the original hashes held in WordPress no longer match?

    Could you clarify how wpDirAuth uses the password hashes please? I’m actually presuming that it doesn’t but would appreciate any input you have ??

    Thanks,
    Steve.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Paul Gilzow

    (@gilzow)

    wpDirAuth doesn’t store the user’s password, since it is never used for an AD/LDAP-authed user. Instead, it uses wp_generate_password(24) to generate a password to be stored for the account. If the plugin is ever deactivated/removed, the account can then be used as a local account by using the standard WordPress password recovery functionality.

    It’s at line 1750 in the current version of the plugin.

    $aryUserDetails['user_pass'] = wp_generate_password(24);//we're going to store a random password in WP since directory users will never use it to log in anyway

    Thread Starter Steve Cliff

    (@stevecliff)

    That is extremely useful information Paul – and makes the overall security of the WordPress install significantly higher than we expected. Many thanks for the confirmation/info!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Re-hashing local accounts’ is closed to new replies.