Discussion:
Salting
Dobri
2013-07-01 18:32:02 UTC
Permalink
I might be wrong on how all of this works but since this -> https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built into wordpress to just grab a random set of salts on the initial installation and save it in the wp-config on its own instead of the 'put your unique phrase here'? I feel like a good 40-50% of all installations have exactly that as salts so I feel this would make it a bit more secure. Am I missing something?

~Dobri
Andrew Nacin
2013-07-01 18:36:21 UTC
Permalink
Post by Dobri
I might be wrong on how all of this works but since this ->
https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
into wordpress to just grab a random set of salts on the initial
installation and save it in the wp-config on its own instead of the 'put
your unique phrase here'? I feel like a good 40-50% of all installations
have exactly that as salts so I feel this would make it a bit more secure.
Am I missing something?
It is built into WP; see wp-admin/setup-config.php.

It's worth noting that if keys or salts are unchanged from the default, or
are duplicated in any way, wp_salt() actually refuses to honor what is in
wp-config.php, and generates a new value (storing it in the DB).

Even if 40-50% of installations have exactly the same salts, wp_salt() very
likely is returning something different all together.

Nacin
Dobri
2013-07-01 18:44:56 UTC
Permalink
Ah, that would make sense. I only brought it up cause I noticed it didn't change anything in the wp-config.php file when I tried a fresh install. Come to think of it that makes no sense whatsoever, better to store it in DB at that point. Thanks for that!

~Dobri
Post by Andrew Nacin
Post by Dobri
I might be wrong on how all of this works but since this ->
https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
into wordpress to just grab a random set of salts on the initial
installation and save it in the wp-config on its own instead of the 'put
your unique phrase here'? I feel like a good 40-50% of all installations
have exactly that as salts so I feel this would make it a bit more secure.
Am I missing something?
It is built into WP; see wp-admin/setup-config.php.
It's worth noting that if keys or salts are unchanged from the default, or
are duplicated in any way, wp_salt() actually refuses to honor what is in
wp-config.php, and generates a new value (storing it in the DB).
Even if 40-50% of installations have exactly the same salts, wp_salt() very
likely is returning something different all together.
Nacin
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Otto
2013-07-01 18:49:59 UTC
Permalink
If you make your own wp-config.php file instead of letting the
setup-config process do it for you, then yes, you should get your own
salts manually and put them in there. having it store them in the DB
is slightly slower. Not enough where I'd expect you to notice though.

A lot of install instruction sets still say to copy the
wp-config-sample.php file, but the automatic config process is
somewhat better and I recommend using that when possible.

-Otto
Post by Dobri
Ah, that would make sense. I only brought it up cause I noticed it didn't change anything in the wp-config.php file when I tried a fresh install. Come to think of it that makes no sense whatsoever, better to store it in DB at that point. Thanks for that!
~Dobri
Post by Andrew Nacin
Post by Dobri
I might be wrong on how all of this works but since this ->
https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built
into wordpress to just grab a random set of salts on the initial
installation and save it in the wp-config on its own instead of the 'put
your unique phrase here'? I feel like a good 40-50% of all installations
have exactly that as salts so I feel this would make it a bit more secure.
Am I missing something?
It is built into WP; see wp-admin/setup-config.php.
It's worth noting that if keys or salts are unchanged from the default, or
are duplicated in any way, wp_salt() actually refuses to honor what is in
wp-config.php, and generates a new value (storing it in the DB).
Even if 40-50% of installations have exactly the same salts, wp_salt() very
likely is returning something different all together.
Nacin
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Shea Bunge
2013-07-01 21:54:18 UTC
Permalink
If you don't create a wp-config.php file, when you visit your WordPress installation URL, it will present you with a screen where all you need to do is enter your database details and WordPress will build a wp-config.php file for you (this includes setting the salts). The page you mention only exists for people who are building a wp-config.php file manually, by copying the wp-config-sample.php file and editing the values
Date: Mon, 1 Jul 2013 14:32:02 -0400
Subject: [wp-hackers] Salting
I might be wrong on how all of this works but since this -> https://api.wordpress.org/secret-key/1.1/salt/ exists, why isn't it built into wordpress to just grab a random set of salts on the initial installation and save it in the wp-config on its own instead of the 'put your unique phrase here'? I feel like a good 40-50% of all installations have exactly that as salts so I feel this would make it a bit more secure. Am I missing something?
~Dobri
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Continue reading on narkive:
Loading...