WordPress.org

Forums

Google Authenticator for WordPress
[resolved] When are old OTPs deleted from db? (5 posts)

  1. dthorpe
    Member
    Posted 1 year ago #

    Your feature list mentions that used one-time-passwords are stored in a db to prevent replay attacks. When are these old passwords removed from the db? I don't want them chewing up infinite disk space over time.

    https://wordpress.org/plugins/wp-google-authenticator/

  2. Julien Liabeuf
    Member
    Plugin Author

    Posted 1 year ago #

    Indeed you're right, it shouldn't seat in the DB forever. There is currently no cleaning feature but I planned on adding it (see the issue on GitHub). I'll probably integrate an automatic cleaning + a manual option.

  3. dthorpe
    Member
    Posted 1 year ago #

    Ok, thanks for the reply.

    Deleting OTPs from the DB that are older than, say, 5 minutes is very important to avoid server bloat on high traffic servers.

    Given that time-based OTPs such as Google Authenticator are only valid for 60 seconds (+ clock skew allowance by verifying server), I don't really see a pressing need to store OTPs as a hedge against replay attacks.

    Would you consider an option to not store OTPs in a DB at all?

  4. Julien Liabeuf
    Member
    Plugin Author

    Posted 1 year ago #

    You're absolutely right. I'll work on this improvement ASAP. I didn't plan to add an option to not store TOTPs in DB at all, but that wouldn't be hard to do.

  5. Julien Liabeuf
    Member
    Plugin Author

    Posted 1 year ago #

    I finally found some time to update the plugin. Old TOTPs will now automatically be deleted from DB daily.

    Actually, you should deactivate and re-activate the plugin in order to make sure the cron task is enabled.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Google Authenticator for WordPress
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic