User password field is empty

I still wouldn’t recommend this because it is probably exploitable somehow…

Technically assuming all the right hooks and functions are called, a user should not be able to login if supplying a blank password even if the user_pass field in the database is empty.

Why…?

When you try to login using the form as seen on /wp-login./php, WordPress will call wp_authenticate_username_password() which is hooked onto the authenticate action.

wp_authenticate_username_password() checks to see if the submitted $password is not empty. If it is empty, it will raise an instance of WP_Error and the login request will be rejected.

The same applies anywhere you try to login from, be it a custom login form or not, assuming the correct hooks or functions are called, e.g. authenticate or wp_authenticate_username_password().

Now even if you make it to the wp_check_password() point of wp_authenticate_username_password(), an empty password still generates a hash value when ran through md5(), e.g. md5('') //d41d8cd98f00b204e9800998ecf8427e.

So what happens when we enter the wp_check_password() function is that the following logic is ran…

Source: wp-includes/pluggable.php

function wp_check_password($password, $hash, $user_id = '') {
    global $wp_hasher;

//note that...
//$password  = '' and $hash (from db) = ''

// If the hash is still md5...
if ( strlen($hash) <= 32 ) {
    $check = hash_equals( $hash, md5( $password ) ); // <- $check will return false, because the $hash is empty and does not match the hash of md5($password)

    if ( $check && $user_id ) {
        // Rehash using new hash.
        wp_set_password($password, $user_id);
        $hash = wp_hash_password($password);
    }

    /**
     * Filter whether the plaintext password matches the encrypted password.
     *
     * @since 2.5.0
     *
     * @param bool   $check    Whether the passwords match.
     * @param string $password The plaintext password.
     * @param string $hash     The hashed password.
     * @param int    $user_id  User ID.
     */
    return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}


// If the stored hash is longer than an MD5, presume the
// new style phpass portable hash.
if ( empty($wp_hasher) ) {
    require_once( ABSPATH . WPINC . '/class-phpass.php');
    // By default, use the portable hash from phpass
    $wp_hasher = new PasswordHash(8, true);
}

$check = $wp_hasher->CheckPassword($password, $hash);

/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'check_password', $check, $password, $hash, $user_id );

}

Ok so once we hit:

if ( strlen($hash) <= 32 ) {
    $check = hash_equals( $hash, md5( $password ) );

$check will return false because the value of $hash is an empty string and the value of md5($password) which is essentially md5('') is d41d8cd98f00b204e9800998ecf8427e as I mentioned above.

Therefore login attempt will be rejected.

So in theory you are safe unless some malicious code hooks onto:

return apply_filters( 'check_password', $check, $password, $hash, $user_id );

…and returns true. But anyone could do that under normal circumstances where proper password hashes do exist in the database.

Recommendation:

Leaving user_pass field in database empty and void of hashes is sloppy and bad practice.

Assumming someone knew that all the passwords in the database were blank and wanted to screw you over, they’d be half-way there in doing so. All they need to do is find a way to exploit the system.

Seeing as it is unlikely that you have audited every piece of internal core code as well as code from plugins and likely your theme, you don’t know when or if blank passwords will come back to bite you in the ass because of some edge-case zero day exploit that is introduced.

Instead…

//you can use get_users() if you prefer instead of $wpdb directly...
//this is just a one time operation.. don't forget to exclude those
//users whom you do not wish to reset a password for, e.g. yourself

global $wpdb;

$users = $wpdb->get_col("SELECT ID FROM {$wpdb->prefix}users WHERE 1 = 1");

foreach ($users as $user_id) {
    wp_set_password(wp_generate_password(), $user_id);
}

…do yourself a favor and set passwords for all users and let the user reset the password or generate an email with a password reset link.

Related Posts:

  1. wordpress redirect after password reset
  2. Loosen/disable password policy
  3. Password protecting a page
  4. How to save Admin FTP password
  5. If I change the salt keys in my wp-config will all passwords break?
  6. Bypass password protected posts via GET variable
  7. Why do generated passwords start/end with spaces?
  8. Duplicate hash method for password in .NET
  9. Hide password protected posts
  10. Safe to store SMTP password in wp-config.php?
  11. Access code/password only restricts page access, no user registration..?
  12. PasswordHash not found in namespace
  13. Force all users in MU to change their passwords
  14. How to shorten length of auto generated password sent during registration?
  15. Forgot password not working
  16. wp_hash_password unexpected behaviour
  17. Password reset message – change the network_home_url( ‘/’ )
  18. Lost password link is redirecting to /shop/my-account/lost-password/
  19. WordPress: force users to change password on first login
  20. Can’t login to wordpress despite changing password to something known directly in MySQL or using “Password Reset by Email” feature
  21. Lost password link redirects to my-account/lost-password/,how to fix it back to default lost password
  22. Password protect custom template
  23. Set content type to HTML for lost password email only
  24. Custom password generator for users
  25. Where is the reset password key stored/generated?
  26. How validate usernames/passwords against WP’s database?
  27. Make post password required to publish
  28. Add error message on password protected pages
  29. Why is resetting the WordPress Users password not working?
  30. Get plain password on register
  31. post_password_required() not recognizing cookie set with correct password
  32. Password protect the site (without htaccess or membership)
  33. Password Protected page not asking for a password
  34. I would like to password protect my entire WordPress site (ip validated), except for one page
  35. Custom login form for front-end user as well as admin
  36. how to remotely check a username / password from within a plugin
  37. Password changed [duplicate]
  38. How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
  39. wp_hash_password create a different hash everytime
  40. Custom password form allows unlock two posts with the same password
  41. How to change password
  42. password recovery key is invalid on custom reset
  43. Like to store multiple passwords in db table wp_posts field post_password?
  44. Password Protected Post is invisible until you login
  45. Send password to user instead of reset password link
  46. Protect Passwords in wp_users with stronger protection than MD5
  47. How secure is a wp-config file?
  48. How to check user’s password?
  49. How to Remove or Deactivate “Application Passwords” in WordPress
  50. What’s the algorithm to verify user password?
  51. How to change “Reset Password” text on submit button
  52. Customize retrieve password message
  53. resend user login & password with custom button
  54. How to show my wordpress admin username & password?
  55. Why does hashing a password result in different hashes, each time?
  56. Can’t alter $lostpassword_url
  57. How to initiate password reset flow by code
  58. Change password fields
  59. How to read third party cookie to access password protected pages
  60. Ask logged in user to re-enter password to access page “x”
  61. Password protected sites
  62. 2 accounts under same email preventing me from loging in
  63. How would I create a Password Protected Page with Content on it?
  64. Site only for users authenticated by different PHP application
  65. wordpress custom password change problem
  66. Allow all reset password links within the past 24 hours to be valid and accepted
  67. WooCommerce Lost Password reset goes to 404
  68. Set id and password for each post
  69. I have to reset the admin password each time
  70. I need help with wp_lostpassword, wp_register and wp_login_form
  71. Create Member who can’t be changed
  72. Sending Reset Password email via Web API
  73. I can’t recover my password
  74. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  75. Frontend custom forgot password page
  76. Entering a WP site with a SMS code
  77. Password Protect content() on homepage
  78. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  79. How to set password from frontend if have activation key and user login in url in wordpress?
  80. Allow users from my ASP.Net MVC site to access my private WordPress site
  81. Multiple pages protected by different passwords. Possible to track multiple passwords at a time?
  82. WordPress Protected Page Redirects to PDF
  83. Bypass a WordPress Password Protected Post or Page via a URL
  84. Custom page password recovery
  85. Can I use core passworded page/post functions outside of wp-login.php?
  86. Is it possible to display newly generated password after wp_generate_password()?
  87. How do I password protect a page of posts on WordPress?
  88. forgot password
  89. WordPress not taking password and username
  90. mysql update user’s password and activation key
  91. Is it possible to have users register without having a password?
  92. Password Protection for posts and pages [duplicate]
  93. How WordPress hashes passwords
  94. WordPress reset password button not working
  95. Override the default password length when creating or updating a user profile
  96. Why can’t I create an Application Password?
  97. ‘random_password’ filters not taking effect
  98. FTP Password (not private key-value pair) for EC2 Instance
  99. How to Disable Pre-population of Password on Password Reset
  100. Bypass a WordPress Password Protected Page via url