Salt values

Dec 20, 2011 at 8:56 PM

Hey ben,

 

Just came across Salt values to increase security. Fresh Sald values can be obtained here: https://api.wordpress.org/secret-key/1.1/salt/

I enter them as parameter next to 

call scaffolder run -LOGGED_IN_SALT="xxxxxx"

etc

It seems to work, but the values reflected in the ServiceConfiguration.cscfg seem to be much shorter and in different format.  Thats intended right?

 

Cheers,

Houman

Editor
Dec 20, 2011 at 9:14 PM

Houman,

Can you give me an example of the value you received for LOGGED_IN_SALT? When you used the command line parameter did you use quotes around the string?

The scaffold will generate some (supposedly) unique strings that are used for the salts if no values are passed in or if the parameter is incorrect. That may be what you are seeing.

If you feel the salt is too short I can look at implementing a random string method similar to http://ben.lobaugh.net/blog/121/php-random-password-generator

Probably a good idea actually

Ben

Dec 20, 2011 at 9:22 PM

Ben,

 

Sure.  This is what I get

 

<Setting name="LOGGED_IN_SALT" value="4ef0f48f229d6" />

 

I have done it a few times and it seems always to start with 4ef.  Don't think they are generated random enough and might be compromised.

I generate them like this:

call scaffolder run -out="%CD%\build\WordPress" -s="%CD%\build\WordPress.phar" -AUTH_KEY=";`7.o/EkTi)0iE*Nu>25d#.5AClaAw|j*KyzFO0K2$B_  tY^.`&+UuXAzqCffAw" -SECURE_AUTH_KEY="6v2^mG+$VN`P_9e9KVWkn)}8 Vtdqj?kB7l&kgVcR8i[P/h1dWp9q!(0~ eZ[xTk" -LOGGED_IN_KEY="N~>.nbJfz05h|Cat|Y(n<UQLLiu1tRjAVWD+m4#101Hw24Nk4_L(X-1ZF:X,q0[[" -NONCE_KEY="E>~::WPyyHC^k2|JI5FgZuEJ66@avD2Gk{~f2G|- (uj/+ k.+c)+?@uF4jc0XYi" -AUTH_SALT="nzs |u_>dg j8]z@1F81El4,,;hP)h#y%M6Qk34)Ke({Rk>)C{W16/*f)CWCPK[L" -SECURE_AUTH_SALT="i:L1n|C{r4}wC:L[PgCetQ<YxibQ=BOuU&OD@H8}U/A:ir7-_X1XT5g;x5&TPkZg" -LOGGED_IN_SALT="A,^ss:dC1=7@@PIr|R23kS2vIu7y-mM+0]5+2AqX&vjD@bz1BeldF+9D60v^GHZB" -NONCE_SALT=")t9QPBkCog<;tVB[O1(I1L`m  Kcm8JwZ*SxF4H/vh7 ?a;^a#OBVOG2N#/E.)+^"



What do you think is it a big change to fix it?

Houman

Editor
Dec 20, 2011 at 9:24 PM

Houman,

It is a fairly trivial change actually. Basically copy the code from the link into the scaffold and change the calls from uniqid() to the new method :)

Ben

Dec 20, 2011 at 9:33 PM

Ben,

 

Sorry for being such PHP illiterate. :)  I have found in index.php the line that is calling the method:

$this->p->add('AUTH_KEY', false, uniqid(), 'Auth key');

 

But where is uniqid() actually located?

Houman

Editor
Dec 20, 2011 at 9:34 PM

Houman,

uniqid() is a built-in PHP function

http://php.net/manual/en/function.uniqid.php

 

Cheers,
Ben

Dec 20, 2011 at 9:44 PM

Oh hehe right. 

True I could copy and paste that function in the index.php and make use of that.

I think alternatively we could simply insert them manually into the ServiceConfiguration.

 

Since wp-config.php gets them per function anyway

define('AUTH_KEY',         azure_getconfig('AUTH_KEY'));

We could enter the value in ServiceConfiguration like this:

<Setting name="AUTH_KEY" value="6v2^mG+$VN`P_9e9KVWkn)}8 Vtdqj?kB7l&kgVcR8i[P/h1dWp9q!(0~ eZ[xTk" />

This guaranties a super unique salt value. :)

Thanks,

Houman