I'm a WordPress fan, it's true. There, you've got full disclosure*.
I just finished reading a ridiculous article on how not to do web site user registration. Read the article - are you outraged at WordPress now? Well, you should be until you learn how WordPress stores passwords.
WordPress stores your password in the "users" table of your database, and here's a surprise - it's a hash (if you know not of the hashes, then I suggest either googling it or just forgetting about this article - it might not be worth your time). Has the crack WordPress team figured out how to crack hashes? Are they hacking into everything right now?
The answer, of course, is no. What happens when you register for a WordPress site is actually very reasonable. They generate a password randomly. They put that password in an email to you. They work the hash voodoo on it and put it in the database, where it is absolutely not stored in plain text.
The alarmist backlash article is a ridiculous knee-jerk reaction. The problem, obviously is the fact that the email does not insist that you change your password, and that people would even consider keeping a password that is randomly generated for them. My favourite thing about the whole post is that the people who wrote it are a Software Security Institute. I'll accept that one can make mistakes - perhaps a retraction is in order?
* - actually, I'm also a Drupal guy. And you thought never the twain should meet!
By L May 28, 2009 - 5:52 am
How is it that when the user clicked an activation link in an email (notice that the activation link doesn’t contain the password), they are taken to a webpage where their password is displayed? Surely if the password was hashed at this point, that would not be possible?
By aphoenix May 28, 2009 - 8:08 am
The process that actually happens when you sign up for a WordPress account is this:
You apply for account creation.
You are sent a link to activate your account. This email does not display your password.
You follow the link to the page. That php page does a number of things, but most pertinent are these:
your account is actually created
a password is randomly generated
an email is generated and sent with the account name and password
the password is hashed and stored in the database
You receive an email with your credentials.
Note that it is technically possible to receive your credentials before they are usable, especially if you have your database set up in a particular (read: slow) way.
So to answer your question – the password isn’t hashed at the point that they click on the activation link, because until the activation link is clicked, there is no password associated with your account, nor any real “account”. Hope this helps!
~aphoenix
By David Conrad May 29, 2009 - 11:28 am
I’ve seen a number of WordPress apologists claim that it is a randomly generated password, but WordPress actually has the new user create a password as you can plainly see at the link above.
Also, the poster you’re responding to clearly stated multiple times that it was a password he had chosen that was mailed to him, not a randomly created password.