Last updated on January 1, 2009
Via boren.nu, I came across a nice detailed section on how to create a secure cookie and password system (which will be implemented in WordPress 2.4):
Cookies will be based on the secure cookie protocol described here. The cookie is structured like so:
user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key
The new cookie protocol will allow us to enforce expirations server-side, mass invalidate all cookies, and offer high-level confidentiality. Read the Liu paper for details on the protocol… …In conjunction with the new cookies, password hashing will be improved by moving to phpass. phpass provides password stretching and salting. These make brute-forcing your password hashes impractical should someone get access to your database.