WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: No More Passwords] Is this secure? (12 posts)

  1. Jack Reichert
    Member
    Posted 2 years ago #

    Hi all,

    Just posted a new plugin: No More Passwords

    I currently have it tagged beta because logging into a platform is a sensitive issue and I don't want to release something that may have security holes. So here's my query:

    Is is secure?

    I've done the following to ensure security:

    1. Username/password are never passed back and forth, only the unique hash.
    2. Hash is removed from the database once it’s used, old hashes that haven’t been used can’t be unless the database is hacked, but then you have bigger issues.
    3. All database queries of the hash have been escaped to prevent XSS attacks.

    Here I have a complete description of how it works.

    Next version I hope to implement oauth via twitter, since iOS now has it worked in...

    Thanks for your input in advance.

  2. hlcws
    Member
    Posted 2 years ago #

    Hi,
    I get the error message "the requested URL /wp-admin/options-general.php was not found on this server".

    WordPress doesn't reside under root, but hello.com/wordpress, so the URL is not valid.

    +window.location.hostname+ seems to be the culprit.

    Maybe use +window.location.hostname+window.location.pathname+ ?

  3. Jack Reichert
    Member
    Posted 2 years ago #

    Thanks for reporting that. I'll look into your solution and get a fix out there asap.

  4. Jack Reichert
    Member
    Posted 2 years ago #

    Fixed. Version 0.1.1 is out.

    On a different note. After consulting with some security guru buddies I decided to add an extra layer of protection -- secret key etc. Version 0.2 will be out shortly.

  5. ericktedeschi
    Member
    Posted 2 years ago #

    Hi,

    I saw your code and would like to suggest some little improvements.

    - I think that the link generated by the qr code could have an wp_nonce to protect against CSRF.

    - May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page.

    - One tip: You could change the deprecated function get_userdatabylogin by get_user_by('login', $login). (line 41 version 0.1.1)

  6. Jack Reichert
    Member
    Posted 2 years ago #

    Thanks so much! I"ll get right no these improvements. I also plan to add session_id into the mix.

    In point #2, what would you do to fight DoS?

  7. Julio Potier
    Member
    Posted 2 years ago #

    Hello everybody

    @ericktedeschi: you can not create a wp nonce because the user id is used.
    Also, you can not create a homemade nonce because if you can validate a nonce from a trusted/admin user and the guest nonce, the CSRF is always possible.

    "May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page."

    i agree, my solution is to send an simple ajax request every 2 or 5 seconds, it's enought and less server proc eater !

    @all
    FYI: http://wordpress.org/support/topic/plugin-no-more-passwords-security-issue?replies=1

    @jack:

    After consulting with some security guru buddies I decided to add an extra layer of protection -- secret key etc. Version 0.2 will be out shortly.

    Who are they, can you talk with me about this ?

    have a nice day !

  8. Yossi Jana
    Member
    Posted 2 years ago #

    We are now in Version 0.3
    Any news if the plugin is secured?

    Also, i checked the plugin in 2 different websites.
    The QR code doesn't appear next to login form in wp-admin url.

    Any suggestions?

  9. Jack Reichert
    Member
    Posted 2 years ago #

    Hi Yossi,

    V0.3 is better off but not there yet. I've been working with several other bboards as well as a security consultant to finish it up.

    Would you mind sharing more info about your installation/browser you are using so I can troubleshoot it?

  10. Jack Reichert
    Member
    Posted 2 years ago #

    Added nonce and confirmation added to on mobile end to prevent CSRF attack
    thanks to @juliobox's advice.

  11. Julio Potier
    Member
    Posted 2 years ago #

    In response to this plugin i've just created mine ;)
    http://baw.li/msl
    Called "More Secure Login", this is a plugin about strong authentication.
    Check this out ;)

  12. Jack Reichert
    Member
    Posted 2 years ago #

    1+

Topic Closed

This topic has been closed to new replies.

About this Topic