jackreichert
Member
Posted 4 months ago #
Hi all,
Just posted a new plugin: No More Passwords
I currently have it tagged beta because logging into a platform is a sensitive issue and I don't want to release something that may have security holes. So here's my query:
Is is secure?
I've done the following to ensure security:
- Username/password are never passed back and forth, only the unique hash.
- Hash is removed from the database once it’s used, old hashes that haven’t been used can’t be unless the database is hacked, but then you have bigger issues.
- All database queries of the hash have been escaped to prevent XSS attacks.
Here I have a complete description of how it works.
Next version I hope to implement oauth via twitter, since iOS now has it worked in...
Thanks for your input in advance.
Hi,
I get the error message "the requested URL /wp-admin/options-general.php was not found on this server".
WordPress doesn't reside under root, but hello.com/wordpress, so the URL is not valid.
+window.location.hostname+ seems to be the culprit.
Maybe use +window.location.hostname+window.location.pathname+ ?
jackreichert
Member
Posted 4 months ago #
Thanks for reporting that. I'll look into your solution and get a fix out there asap.
jackreichert
Member
Posted 4 months ago #
Fixed. Version 0.1.1 is out.
On a different note. After consulting with some security guru buddies I decided to add an extra layer of protection -- secret key etc. Version 0.2 will be out shortly.
ericktedeschi
Member
Posted 4 months ago #
Hi,
I saw your code and would like to suggest some little improvements.
- I think that the link generated by the qr code could have an wp_nonce to protect against CSRF.
- May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page.
- One tip: You could change the deprecated function get_userdatabylogin by get_user_by('login', $login). (line 41 version 0.1.1)
jackreichert
Member
Posted 4 months ago #
Thanks so much! I"ll get right no these improvements. I also plan to add session_id into the mix.
In point #2, what would you do to fight DoS?
Julio Potier (Juliobox)
Member
Posted 4 months ago #
Hello everybody
@ericktedeschi: you can not create a wp nonce because the user id is used.
Also, you can not create a homemade nonce because if you can validate a nonce from a trusted/admin user and the guest nonce, the CSRF is always possible.
"May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page."
i agree, my solution is to send an simple ajax request every 2 or 5 seconds, it's enought and less server proc eater !
@all
FYI: http://wordpress.org/support/topic/plugin-no-more-passwords-security-issue?replies=1
@jack:
After consulting with some security guru buddies I decided to add an extra layer of protection -- secret key etc. Version 0.2 will be out shortly.
Who are they, can you talk with me about this ?
have a nice day !
Yossi Jana
Member
Posted 3 months ago #
We are now in Version 0.3
Any news if the plugin is secured?
Also, i checked the plugin in 2 different websites.
The QR code doesn't appear next to login form in wp-admin url.
Any suggestions?
jackreichert
Member
Posted 3 months ago #
Hi Yossi,
V0.3 is better off but not there yet. I've been working with several other bboards as well as a security consultant to finish it up.
Would you mind sharing more info about your installation/browser you are using so I can troubleshoot it?
jackreichert
Member
Posted 3 months ago #
Added nonce and confirmation added to on mobile end to prevent CSRF attack
thanks to @juliobox's advice.
Julio Potier (Juliobox)
Member
Posted 3 months ago #
In response to this plugin i've just created mine ;)
http://baw.li/msl
Called "More Secure Login", this is a plugin about strong authentication.
Check this out ;)
jackreichert
Member
Posted 3 months ago #
hlcws