Just posted a new plugin: No More Passwords
I currently have it tagged beta because logging into a platform is a sensitive issue and I don't want to release something that may have security holes. So here's my query:
Is is secure?
I've done the following to ensure security:
- Username/password are never passed back and forth, only the unique hash.
- Hash is removed from the database once it’s used, old hashes that haven’t been used can’t be unless the database is hacked, but then you have bigger issues.
- All database queries of the hash have been escaped to prevent XSS attacks.
Here I have a complete description of how it works.
Next version I hope to implement oauth via twitter, since iOS now has it worked in...
Thanks for your input in advance.