WordPress.org

Ready to get started?Download WordPress

Forums

More Secure Login
[resolved] display MSL Secure Card as a text in dashboard (7 posts)

  1. r2_d2
    Member
    Posted 1 year ago #

    Hello,

    I have a few suggestions for improving the MSL Secure Card.

    1. upon activating the More Secure Login instead of sending the
    MSL Secure Card via email, can these codes be displayed in the
    Dashboard ONLY first time when the plugin is activated..
    NO STORING OF THESE CODES IN THE DB OR SOME TEMP FOLDERS
    JUST DISPLAY THEM FIRST TIME AFTER GENERATING AS A CLEAN TEXT
    THAN WE CAN COPY THE CODES TO SECURE PLACE

    Next time when we need new codes, the script should send us an email
    just with the information that we have to generate a new MSL Secure
    Card because we have used all the codes..

    2. Extend the MSL Secure Card code numbers from 4 to 6 characters

    3. Generate more combinations, perhaps create a settings page where
    we can choose how many combinations we will generate at the time..

    4. disable MSL Secure Card sending via email, as the email is not
    secure, I can sniff an email within a seconds.....

    Thank You
    Cheers

    http://wordpress.org/extend/plugins/baw-more-secure-login/

  2. Julio Potier
    Member
    Plugin Author

    Posted 1 year ago #

    hi
    1. No, WP won't show the codes because i'll have to store them in a file, then displays them, then delete the file.

    1bis. Codes are not "used", you can log in 100000 times, if you think you need to get new ones, ask for a new card.

    2. Pro version incoming

    3. 64 is clearly enought, this is enough paranoiac ;)

    4. if you can sniff an email, you can sniff the 80 port on the victim's computer and so read his screen containing the displayed codes. Email will be the solution.

    Thank you for your requests !

  3. r2_d2
    Member
    Posted 1 year ago #

    Hello,

    1. this is not a true, it`s possible to have the text generated once without a file, I saw it before.. no files needed for this purpose..

    And ok, so we can use these codes in one circle until we manually resend a new Secure Card, I understand...

    2. ok, nice

    3. ok, I can live with 64 codes, I am not a paranoiac but just careful, because our web site was hacked once and I swear never again...
    To be careful and paranoiac are not the same at all... :)

    4. I do not agree with this one either, because:
    Every normal person knows that every login page that is securing something SHOULD use the SSL protection httpS port 443 and NOT port 80. I know that port 80 can be sniffed therefore I do not use it on login pages at all..

    What is the point to deal with the different codes if You are not using SSL protection on login pages and sending the codes via open email ? it`s very easy to track and sniff believe me I did it before..

    Sending these codes via email is not secure and You are aware of this :)

    therefore my suggestion was, use the SSL on the login page, than get these codes generated once in the dashboard, than they should be removed from the dashboard once logged out...

    Think about it.. I am sure that others will agree with this...

    Thank You for reply
    Cheers

  4. Julio Potier
    Member
    Plugin Author

    Posted 1 year ago #

    1. you're right, a file is not mandatory
    4. and what if i lose my MSL card, how can i log in again as a simple member ?

    5. (new point) i think i'll add an option for each member, like the plugin "Google Authenticator" do, "[_] Use the MSL card", mandatory for admins, strongly recommanded for authors, recommanded for contributors, optionnal for subscribers

  5. r2_d2
    Member
    Posted 1 year ago #

    1. sure, this is ok ...
    4. what if You delete Your email with Secure Card ? still gone..
    what can be done in this case is following, connect the plugin to "forget pass" option in wordpress perhaps, so if users looses the card, than he can type the email address in the forgot field and than the plugin can send these codes via email, BUT only one generated code should be send when using forgot pass option, so user can only use this one code and once logged user MUST generate new card and than the 64 codes can be generated and displayed in the dashboard... my suggest.. think about it ..

    5. nice option, I prefer that all categories or groups uses the Secure Card login.... You can have that as an option at least...

    Thank You again...
    cheers

  6. Julio Potier
    Member
    Plugin Author

    Posted 1 year ago #

    4. today when you've lost the card (the printed card, print it, you HAVE to delete your email containing the .png) you can ask for a new one on reset password.
    Your idea of "1 code" is not bad at all, i'll keep this in mind.

    5. also why not. in my mind, an admin can not uncheck the box.

    Thank for your help improving this plugin.

  7. r2_d2
    Member
    Posted 1 year ago #

    4. I agree, print card delete email, but when the codes are generated in wp dashboard,
    we can also mark the text copy it to notepad print the codes
    close the notepad without saving the file on pc.

    Yes why not, my point was, use ssl and get rid of the emails, only use email when
    user loosed its Secure Card, and only send one code in the email, and write som text
    info in the email for this user, that once he is logged
    back on to wp, that he have to generate new Secure
    Card codes displayed in the text format and ONLY
    once. Once user is logged out these codes are gone from wp dashboard.
    He can than copy these generated codes on to notepad and go ahead print it.

    5. I assume that we will not depend on the google
    services in order to be able to use this option ?

    Right now I am on a plane, and it will take around
    4 hours before I can respond on this topic again
    just for info...

    and You're very welcome, I love this plugin and
    I will pay for the pro ver when it comes out..
    Just get rid of emails -;)

    Best regards
    Amel

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.