Support » Plugins » Hacks » [Plugin: No More Passwords] Is this secure?

Viewing 11 replies - 1 through 11 (of 11 total)
  • Hi,
    I get the error message “the requested URL /wp-admin/options-general.php was not found on this server”.

    WordPress doesn’t reside under root, but hello.com/wordpress, so the URL is not valid.

    +window.location.hostname+ seems to be the culprit.

    Maybe use +window.location.hostname+window.location.pathname+ ?

    Thanks for reporting that. I’ll look into your solution and get a fix out there asap.

    Fixed. Version 0.1.1 is out.

    On a different note. After consulting with some security guru buddies I decided to add an extra layer of protection — secret key etc. Version 0.2 will be out shortly.

    Hi,

    I saw your code and would like to suggest some little improvements.

    – I think that the link generated by the qr code could have an wp_nonce to protect against CSRF.

    – May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page.

    – One tip: You could change the deprecated function get_userdatabylogin by get_user_by(‘login’, $login). (line 41 version 0.1.1)

    Thanks so much! I”ll get right no these improvements. I also plan to add session_id into the mix.

    In point #2, what would you do to fight DoS?

    Hello everybody

    @ericktedeschi: you can not create a wp nonce because the user id is used.
    Also, you can not create a homemade nonce because if you can validate a nonce from a trusted/admin user and the guest nonce, the CSRF is always possible.

    “May be that your plugin is vulnerable to DoS. In reason the time spent to query DB+generate QrCode and render the page.”

    i agree, my solution is to send an simple ajax request every 2 or 5 seconds, it’s enought and less server proc eater !

    @all
    FYI: http://wordpress.org/support/topic/plugin-no-more-passwords-security-issue?replies=1

    @jack:

    After consulting with some security guru buddies I decided to add an extra layer of protection — secret key etc. Version 0.2 will be out shortly.

    Who are they, can you talk with me about this ?

    have a nice day !

    We are now in Version 0.3
    Any news if the plugin is secured?

    Also, i checked the plugin in 2 different websites.
    The QR code doesn’t appear next to login form in wp-admin url.

    Any suggestions?

    Hi Yossi,

    V0.3 is better off but not there yet. I’ve been working with several other bboards as well as a security consultant to finish it up.

    Would you mind sharing more info about your installation/browser you are using so I can troubleshoot it?

    Added nonce and confirmation added to on mobile end to prevent CSRF attack
    thanks to @juliobox‘s advice.

    In response to this plugin i’ve just created mine 😉
    http://baw.li/msl
    Called “More Secure Login”, this is a plugin about strong authentication.
    Check this out 😉

    1+

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘[Plugin: No More Passwords] Is this secure?’ is closed to new replies.