Semisecure Login Reimagined v3
Semisecure Login Reimagined v3 is now available. This release includes a number of changes from previous versions.
For starters, past versions relied on RSA public-key encryption alone. Version 3 now uses a combination of public and secret-key encryption. This means that there is no longer a limit on the length of passwords that can be encrypted. The limit in earlier versions was large enough that I doubt it affected anyone, however.
Initially, two secret-key algorithms are provided: RC4 (a stream cipher) and AES (a block cipher). On the JavaScript side I chose to go with the crypto-js library. Unfortunately, there wasn’t a complimentary PHP library so I ended up converting the majority of crypto-js to PHP.
Past versions of this plugin didn’t behave themselves very well when stepping outside of the ASCII character bounds. (Western ISO-8859-1 might be more technically correct.) Version 3 now has support for UTF-8 passwords. Only UTF-8 is supported. If your blog is using another character encoding then your mileage may vary.
The settings page was starting to get long and unwieldy. This has been corrected by splitting each section into sub-pages.
If you’re having trouble generating an RSA keypair then you can now (optionally) display some debugging information to get you pointed in the right direction.
The main reason that the version has been bumped up to version 3 (rather than… say… 2.5) is because the integration API has changed. This change was necessary because of the secret-key addition. Hopefully now, the integration has also been simplified a bit.
Finally, support for older versions of WordPress has been dropped. Semisecure Login Reimagined v3 requires WP 2.7 (or higher) and PHP 4.3 (or higher). Seriously, if you’re running an older version of WordPress you’re just asking to be hacked! OpenSSL is still required, but no other PHP extensions are required (including mcrypt, etc).
Download
The download location hasn’t changed :) You can still download Semisecure Login Reimagined at its official WordPress page.
Koko (Sep 05, 2009)
Hi, I think I discovered a bug after upgrading to V3. When you log
out, and try to log in you receive this error message : ERROR: The
password field is empty. Even though the password field contains
the correct password. If I disable the plugin, I can log in again.
moggy (Sep 06, 2009)
@Koko
Can you give me some information on your WordPress install? (WP version, PHP version, other plugins activated, secret-key algorithm, web-browser version, etc)
Koko (Sep 06, 2009)
Thanks for the answer. WordPress 2.8.4 Tested with all plugins
deactivated except Semisecure PHP Version 5.2.8 OpenSSL Version
OpenSSL 0.9.8b Secret-key algorithm tested with MARC4 or AES
web-browser tested with Opera (10) or Firefox (3.5.2)
wl (Sep 09, 2009)
I also had the same problem as koko, but after I turned off safe
mode, it’s gone. Running v3.0.1, WP v2.8.4, PHP 5.2.10, openssl
0.9.8e
moggy (Sep 09, 2009)
Thanks for the bug report. I just tested with safe_mode, but am not able to repro.
If anyone can set me up with a repro, please send me an email where I can check it out.
Arthur (Sep 14, 2009)
I have been trying to get this plugin installed and keep coming up
with the following error msg. The host provider assures me that
OpenSSL is functioning correctly. Any clues as what else to try?
>>SemisecureLoginReimagined has not been activated! OpenSSL
doesn’t appear to be available. This plugin relies on OpenSSL and
won’t work until it’s been installed. Click here to return to the
plugins page.
Pingback (Sep 14, 2009)
wordpress plugins:semisecure-login-reimagined | OChef.net--天道酬勤
moggy (Sep 14, 2009)
@Arthur
That bit of code checks that the ‘openssl’ extension has been loaded and that the ‘openssl_private_decrypt’ function is available. Do you have a phpinfo page that I can take a look at. (If it’s a private page, can you verify that there’s an openssl section on the page)
dennyhalim.com (Sep 15, 2009)
make it work with wpmu? please… tnx
wingman (Sep 17, 2009)
I am having the same issue after upgrading to v3.04 (empty
password.Didn’t have the issue with v3.0.3). I am using AES
encryption with 1024 key and wordpress 2.8.4. Not sure -if
relevant- but I installed “subcribe 2″ plugin at the same time :)
moggy (Sep 17, 2009)
@wingman
What browser are you using?
wingman (Sep 18, 2009)
I’ve tried it using chrome(latest dev) and ie 8
moggy (Sep 18, 2009)
@wingman
The only change between 3.0.3 and 3.0.4 that could be causing this is on the JavaScript side. Neither of those browsers should cause an issue though. Have you tried disabling all your other plugins, just to make sure there’s not a conflict?
I did find a possible cause for the empty password when upgrading from v2 to v3, but at most you’d only see the error one time.(Edit: this turned out to be a non-issue)
wingman (Sep 18, 2009)
let me try installing version 3.05 and disabling/ troubleshooting.
I will post my results here
wingman (Sep 18, 2009)
ok found where the issue is :) If “Nonce” is set to “Print
directly”, then users get the empty password message. I’ve set it
to disable and check multiple combination on the plugin (different
key lengths,different encryption method while enabling/disabling
other plugins). Guys, can anyone change the option of “nonce” to
“disabled” and provide feedback?
moggy (Sep 18, 2009)
Nonces are randomly generated and stored in session data. Do PHP sessions work on your server? Does your browser allow cookies?
wingman (Sep 19, 2009)
yes my browser support cookies and php s server sessions work on
my(php 5.2.10)
Koko (Sep 19, 2009)
Just tried version 3.05 and for now I’m not encountering the
password field is empty message.
wingman (Sep 20, 2009)
there is a new version 3.0.6.1 out. changelog of 3.0.6 says “Don’t
start the session if nonces are disabled” and at the moment I have
nonces disabled in order to work on my website
haber (Sep 20, 2009)
Works great, thank you
wingman (Sep 20, 2009)
version 3.0.6.2 works with nonce disabled
VVOR (Oct 04, 2009)
Awesome plugin! Tnx! VVOR http://www.vvor4.nl
Pingback (Nov 02, 2009)
Petits plus
Pingback (Nov 06, 2009)
Top 1000 WordPress Plugin Authors « Metode de promovare
Pingback (Nov 15, 2009)
Secure WordPress login without HTTPS | Blinkenlichten Blog
Viper007Bond (Dec 05, 2009)
Thanks for the great plugin! I’d love an option that somehow made
it impossible to log in without using this. Perhaps removing the
login fields and adding them back using Javascript or something.
That way a password will never be sent in the clear ever.
moggy (Dec 17, 2009)
@Viper — I’ll consider it for a future version. I always liked the way that the original plugin let you disable JavaScript to log in without encryption (something that I kept for this reimagined version). IMO, that was one of the selling points for using it over Chap Secure Login.
Micah (Dec 23, 2009)
Hey moggy, after installing Wordpress 2.9 and this plugin, I had
trouble logging back in when I later tried to log back in. The
resolution was to delete this plugin from the plugins folder. The
only other active plugins I had were WP Total Cache and Akismet.
Just a FYI in case you hear anything else.
moggy (Dec 24, 2009)
@Micah — Thanks for the report. If you disable JavaScript in your browser you should be able to log in (without encryption). I’ve never used that specific caching plugin, but you might need to set nonces to use the async option. You could also try disabling nonces.
Micah (Dec 24, 2009)
I actually did set the nonces option to async and that didn’t work.
I tried to disable nonce and that seemed to actually work on
initial testing. The error I was getting after trying to log in was
a red block above the log in fields saying, “The password field is
empty.” over and over. Of course this was false since I had a
password in there every time.
Chantak (Jan 10, 2010)
Can you add the Poly1305-AES encryption in your plugin? The link
is: http://cr.yp.to/mac.html