• I am pleased with this plugin; it works well with the requirements of my web site and it’s easy to customise.

    However there is one significant weakness in this plug-in at the moment, if you are thinking of using this as a secure log-in facility.

    The wppb_check_password_strength function checks the wppb_password_strength that is posted back client-side via JQuery.

    A user can override this by modifying the posted values for the password using a request modifier such as Fiddler, and so can reset their password to a lower level of strength than we would want to enforce. The password strength has already been calculated client-side, so hitting the submit button with modified passw values is a cinch.

    To get around this I have had to add some additional code (using ZxcvbnPhp) to do another validation of the password server-side, after the submit button has been clicked.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hello Mike,

    Thanks for your input.

    As a matter of fact, we are planning a refactoring of the whole password strength functionality, and I am adding this observation as well.

    With the best of wishes,
    Gabriel

    Also, I have word from the development team that actually that we are also doing that validation on the server side, already.

    Cheers,
    Gabriel

    Thread Starter mikemackechnie

    (@mikemackechnie)

    Thank you Gabriel, but that is simply not true.

    Perhaps your developers did not understand the weakness that I described.

    The validation on the server side is done when the user has finished typing in the passwords, but is not repeating the validation when the user hits the submit button.

    We had an external Pen Tester analyse our installation last Friday, and he came back with this:

    “I’ve just retested and I’m still able to set a weak password by setting entering a strong one initially (to satisfy the client-side validation), and then intercept the request to swap out the strong password with a weaker password. It still appears that no server-side validation is in place which checks the password being submitted to the application does meet the password policy requirements.”

    As a result of this we had to back out our upgrade to 2.9.3 and re-install with 2.9.0 plus my Zxcvbn-php updates.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Good plugin but one significant weakness’ is closed to new replies.