What's My Pass? » php; http://www.whatsmypass.com Password Recovery for Windows, Mac, Linux, browsers, email, instant messengers, BIOS Tue, 24 Jan 2012 16:08:10 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 WordPress Remote Admin Password Reset Vulnerability http://www.whatsmypass.com/wordpress-remote-admin-password-reset-vulnerability http://www.whatsmypass.com/wordpress-remote-admin-password-reset-vulnerability#comments Tue, 11 Aug 2009 21:45:37 +0000 Dev Team http://www.whatsmypass.com/wordpress-remote-admin-password-reset-vulnerability A new post appeared on the WordPress discussion list today revealing more details about the process. Everyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. WordPress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.

It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the WordPress blog.

A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack. There is no official release fixing this problem, apply this changeset to your wp-login.php.

change line 190 in wp-login.php to

if ( empty( $key ) )

With

    if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to WordPress installations.

]]> http://www.whatsmypass.com/wordpress-remote-admin-password-reset-vulnerability/feed 0 GSAuditor SHA-1 Cracker http://www.whatsmypass.com/gsauditor-sha-1-cracker http://www.whatsmypass.com/gsauditor-sha-1-cracker#comments Sat, 29 Nov 2008 02:20:54 +0000 admin http://www.whatsmypass.com/?p=413 Generic SHA-1 Auditor (GSAuditor) is an application that allows you to brute force password hashes derived from SHA-1. NOTE: GSAuditor is an “experimental” tool.

Current version of GSAuditor supports the following algorithms:

* RAW-SHA-1($password) – Mac OS 10.3 ‘Panther’
* SHA-1(UNICODE($password).$salt) – MS SQL 2000/2005 (remember that 2000 uses uppercase password!)
* SHA-1($password.$salt) – ORACLE 11g (the salt is currently 10 bytes)
* SHA-1($username.$password) – PHP
* SHA-1($salt.$password) – Mac OS 10.4 ‘Tiger’
http://evilfingers.com/tools/GSAuditor.php

]]> http://www.whatsmypass.com/gsauditor-sha-1-cracker/feed 1 Brute Force Calculator http://www.whatsmypass.com/brute-force-calculator http://www.whatsmypass.com/brute-force-calculator#comments Fri, 31 Oct 2008 06:58:04 +0000 admin http://www.whatsmypass.com/?p=370 See how long it would take you brute-force your password using this handy php script:
http://www.hackosis.com/projects/bfcalc/bfcalc.php
The code is open source and can be downloaded from:
http://www.hackosis.com/wp-content/uploads/2007/11/bfcalc.zip

]]> http://www.whatsmypass.com/brute-force-calculator/feed 0 Most Common Passwords http://www.whatsmypass.com/most-common-passwords http://www.whatsmypass.com/most-common-passwords#comments Wed, 11 Jun 2008 19:08:12 +0000 Dev Team http://www.whatsmypass.com/?p=22 nice writeup on the common passwords and peoples thought process on picking passwords

http://blog.jimmyr.com/Most_Common_Passwords_20_2008.php

]]> http://www.whatsmypass.com/most-common-passwords/feed 0