Semisecure Login Reimagined
Prior to WordPress 2.5, I’d been using a plugin called Semisecure Login. This plugin would encrypt your password when logging in via a one-way md5 hash and compare this to your password’s md5 hash on the server side (prior to WordPress 2.5 passwords were stored in the database as md5 hashes). A nonce was thrown in for good measure to help prevent replay attacks. This, effectively, provided a “semisecure” login environment. It obviously wasn’t as secure as using an SSL cert (it wouldn’t prevent session hijacking, etc.) but I liked it.
With the release of WordPress 2.5, passwords are now hashed up by phpass before entering the database. Further complicating the matter, phpass salts each password before hashing. This change effectively “breaks” Semisecure Login. Using a plugin, it’s possible to revert back to the md5 hashes, and Semisecure Login for WordPress 2.5 takes advantage of this.
On the other hand, I wanted to keep using the new phpass hashes and still provide a semisecure login environment. This thread details the difficulty in making this happen. There didn’t seem to be any way to use one-way hashing, and using standard secret-key encryption was out (for obvious reasons). The only thing that left me with was to try and use public-key encryption.
RSA is a popular public-key algorithm, and I was able to find a few implementations in both JavaScript and PHP. My main criteria in picking which implementation(s) to use were (1) interoperability between JavaScript and PHP, (2) efficiency, speed, and performance and (3) a solution that would work for most shared hosts. I ended up settling on the jsbn library for JavaScript and OpenSSL on the PHP side. Unfortunately, PHP’s built-in openssl functions are rather limited when it comes to generating RSA keypairs, so I had to rely on making calls directly against openssl when generating a keypair. This works great on a Linux server but is currently untested on Windows (although I have a feeling it would work as long as the folder where OpenSSL lives was added to the system path).
Download
You can download Semisecure Login Reimagined at its official Wordpress page. Additional information, such as installation instructions and changelog, are located there as well.
Requirements
- Wordpress: 2.1 to 2.5.1 (2.5.1 is the latest version at the time of this post)
- PHP: 4 or 5 (tested as far back as 4.4.6 and up to 5.2.6)
- OpenSSL (initial keypair generation is handled by direct calls, while decryption is handled by built-in PHP functions)
All tests were performed on various Linux servers. PHP’s program execution functions need to be enabled for the initial keypair generation (safe mode should also be disabled for this). After the keypair is generated, it’s safe to go ahead and re-disable these functions and/or re-enable safe mode. Everyday use of this plugin relies on PHP’s built-in openssl functions.
Update (6/13/08)
As of v1.1.0, keypair generation will work even if safe mode is enabled or the PHP execution fuctions have been disabled. This alternative keypair generation mode will only work if you’re running PHP 5.2.0 or greater, however.
kiran (Jun 05, 2008)
Hi MOggy.. I love the way u themed your blog (purplemoggy). Love
the creative work involved. Since i was i addicted to it, i tried
to make my blog look similar to your blog. PLease give a flash to
it and please comment http://restrike.blogspot.com/ Hope u wont be
angry for doing it without your concern. Regards Kiran
moggy (Jun 05, 2008)
Looks good, kiran.
kiran (Jun 07, 2008)
Thanks Moggy… Could u please help me with the social bookmarking
stuff? i cant get that attached with my posts. thanks again Kiran
Dave Brondsema (Jun 24, 2008)
Thanks for working on this and making a plugin that works with 2.5!
Trackback (Jul 05, 2008)
Leonaut.com
baron (Jul 24, 2008)
hi. Thanks for plugin perfect. Regards
Philix (Jul 28, 2008)
This is a cool plugin
Trackback (Aug 30, 2008)
Poojan Blog
Pingback (Dec 11, 2008)
Русский WordPress 2.7 Lecactus Edition - Lecactus Home
Pingback (Dec 29, 2008)
Les extensions WordPress de Mind Overflow | Mind Overflow
JeKoPhoto (Mar 03, 2009)
Moggy, first I want to thank you for this great plugin! It is a
really good choice for those who are not able to use ssl. Did you
thought about encrypting the username too? I think this could
improve the level of security. So there would be absolutely no
login information which goes unencrypted through the net and an
possible attacker did not know the half of the needed information
;-) Would be interested what you are thinking about. Cheers, Jens
Pingback (Mar 08, 2009)
Wordpress password security on a budget | Bandit Defense
m0rebel (Mar 08, 2009)
I recently discovered this plugin and it’s awesome! I have a
computer security blog and I just wrote a post recommending it.
Check it out:
http://blog.banditdefense.com/2009/03/08/wordpress-password-security-on-a-budget/
moggy (Mar 09, 2009)
Jens –
The default cookie(s) that WordPress uses stores your username as plain-text. So there’s no point in encrypting the username when logging in since it’s going to be sent “over the wire” 3 seconds later anyway.
JeKoPhoto (Mar 09, 2009)
Moggy, thanks for pointing that out – I was not be aware of this by
now. In fact it would be sensless in this circumstances to en- and
decrypt the username. Thanks again, Jens
Álvaro Degives-Más (Mar 14, 2009)
Hi Moggy, the plugin is really awesome. Thanks so much! I have a WP
based site I maintain for a non-profit, which gives me a puzzling
error upon activation of the plugin:
I can’t figure out what’s going wrong there… It
activates, but seemingly won’t generate the keys, no matter the
setting I choose. Could you point me in the right direction?
Server’s running PHP5.2… Dunno what other info might be helpful
to you. Thanks in advance!
Álvaro Degives-Más (Mar 14, 2009)
Scratch that… I installed the previous version (1.4.0) created
the keys, upgraded to the current, problem solved. :-) Works like a
charm. Thanks!
moggy (Mar 16, 2009)
Sorry about that. Looks like there was a typo. I just pushed an update to fix the issue.
Pingback (Apr 28, 2009)
Wordpress security dissected and analyzed: Part 2 | Bandit Defense