Coding: Password Security in Cookies

December 22nd, 2007 by Richy B. Leave a reply »

Via boren.nu, I came across a nice detailed section on how to create a secure cookie and password system (which will be implemented in WordPress 2.4):

Cookies will be based on the secure cookie protocol described here. The cookie is structured like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

The new cookie protocol will allow us to enforce expirations server-side, mass invalidate all cookies, and offer high-level confidentiality. Read the Liu paper for details on the protocol… …In conjunction with the new cookies, password hashing will be improved by moving to phpass. phpass provides password stretching and salting. These make brute-forcing your password hashes impractical should someone get access to your database.

This post is over 6 months old.

This means that, despite my best intentions, it may no longer be accurate.

This blog holds over 12 years of archived content - during that time, I may have changed my opinion of something, technology will have advanced (and old "best standards" may no longer be the case), my technology "know how" has improved etc etc - it would probably take me a considerable amount of time to update all the archival entries: and defeat the point of keeping them anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey and "caveat emptor".

Leave a Reply

gamy-dance
%d bloggers like this: