Wordpress Default Password Vulnerability

Last updated 6 weeks ago

I was doing a WordPress installation the other day when I noticed how insecure the default generated password was.

On line 38 in wp-admin/includes/upgrade.php (wordpress version 2.3.1) I found that a 6 character password is generated this way:

$random_password = substr(md5(uniqid(microtime())), 0, 6);

The md5 function returns a 32 character hexadecimal number and substr chops off first six characters. Doing elementary combinatorics we can find that the number of possible passwords is 166 (16 to the power 6) or 16,777,216, or roughly just 16.7 million passwords!

I am more than sure that most people doing WP installations never change the default password. If you're on a good connection and can do just 100 password checks per second, then you can crack a WordPress installation in worst case time of 16,777,216/100 seconds, which is 46.6 hours! Most likely you'd crack the password in half of that time, so you can crack any WordPress installation that has a default password in about 24 hours!

Read more articles →
Thanks for reading my post. If you enjoyed it and would like to receive my posts automatically, you can subscribe to new posts via rss feed or email.
Genetic Algorithms 101
Working Productively in Bash's Vi Command Line Editing Mode (with Cheat Sheet)

AltStyle によって変換されたページ (->オリジナル) /