Version Description
- Beta release.
Download this release
Release Info
Developer | convissor |
Plugin | Login Security Solution |
Version | 0.1.0 |
Comparing to | |
See all releases |
Code changes from version 0.0.4 to 0.1.0
- login-security-solution.php +4 -1
- readme.txt +24 -18
login-security-solution.php
CHANGED
@@ -6,7 +6,7 @@
|
|
6 |
* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
|
7 |
*
|
8 |
* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
|
9 |
-
* Version: 0.0
|
10 |
* Author: Daniel Convissor
|
11 |
* Author URI: http://www.analysisandsolutions.com/
|
12 |
* License: GPLv2
|
@@ -1220,6 +1220,9 @@ class login_security_solution {
|
|
1220 |
$prior = array_shift($chars);
|
1221 |
$transitions = 0;
|
1222 |
foreach ($chars as $char) {
|
|
|
|
|
|
|
1223 |
if (abs( hexdec(bin2hex($char)) - hexdec(bin2hex($prior)) ) > 2) {
|
1224 |
$transitions++;
|
1225 |
}
|
6 |
* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
|
7 |
*
|
8 |
* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
|
9 |
+
* Version: 0.1.0
|
10 |
* Author: Daniel Convissor
|
11 |
* Author URI: http://www.analysisandsolutions.com/
|
12 |
* License: GPLv2
|
1220 |
$prior = array_shift($chars);
|
1221 |
$transitions = 0;
|
1222 |
foreach ($chars as $char) {
|
1223 |
+
// Use "> 2" because some alphabets have the upper and lower case
|
1224 |
+
// of a letter next to each other, so the next letter in the same
|
1225 |
+
// case is two points away.
|
1226 |
if (abs( hexdec(bin2hex($char)) - hexdec(bin2hex($prior)) ) > 2) {
|
1227 |
$transitions++;
|
1228 |
}
|
readme.txt
CHANGED
@@ -10,7 +10,7 @@ Repels brute force attacks (by IP, name, password). Requires very strong passwor
|
|
10 |
== Description ==
|
11 |
|
12 |
* Blocks brute force and dictionary attacks without inconveniencing
|
13 |
-
legitimate users
|
14 |
+ Tracks IP addresses, usernames, and passwords
|
15 |
+ If a login failure uses data matching a past failure, the plugin
|
16 |
slows down response times. The more failures, the longer the delay.
|
@@ -35,9 +35,10 @@ The tests have caught every password dictionary entry I've tried.
|
|
35 |
+ Non-sequential keystrokes (custom sequence files can be added)
|
36 |
+ Not in the password dictionary files you've provided (if any)
|
37 |
+ Decodes "leet" speak
|
38 |
-
+
|
|
|
39 |
|
40 |
-
* Password aging (optional)
|
41 |
+ Users need to change password every x days (customizable)
|
42 |
+ Grace period for picking a new password (customizable)
|
43 |
+ Remembers old passwords (quantity is customizable)
|
@@ -62,7 +63,8 @@ The tests have caught every password dictionary entry I've tried.
|
|
62 |
= Improvements Over Similar WordPress Plugins =
|
63 |
|
64 |
* The plugin itself is secure against SQL, HTML, and header injections
|
65 |
-
* Notice-free code means no information disclosures if
|
|
|
66 |
* Only loads files, actions, and filters needed for enabled options
|
67 |
and the page's context
|
68 |
* Provides an option to have deactivation remove all of this plugin's
|
@@ -79,7 +81,7 @@ The tests have caught every password dictionary entry I've tried.
|
|
79 |
You're probably thinking "There's nothing valuable on my website. No one
|
80 |
will bother breaking into it." What you need to realize is that attackers
|
81 |
are going after your visitors. They put stealth code on your website
|
82 |
-
that pushes malware into
|
83 |
|
84 |
> According to SophosLabs more than 30,000 websites are infected
|
85 |
> every day and 80% of those infected sites are legitimate.
|
@@ -90,7 +92,7 @@ that pushes malware into the browsers of the people looking at your site.
|
|
90 |
> -- [*Security Threat Report 2012*](http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-08.aspx)
|
91 |
|
92 |
So if your site does get cracked, not only do you waste hours cleaning up,
|
93 |
-
your reputation
|
94 |
and worst of all, you've inadvertently helped infect the computers of your
|
95 |
clients and friends.
|
96 |
|
@@ -98,7 +100,7 @@ clients and friends.
|
|
98 |
== Installation ==
|
99 |
|
100 |
1. Download the package
|
101 |
-
|
102 |
|
103 |
1. Unzip the file.
|
104 |
|
@@ -177,7 +179,8 @@ The plugin needs to be placed in the `wp-contents/plugins` directory of
|
|
177 |
a working WordPress installation. The plugin does not need to be
|
178 |
activated for the tests to run.
|
179 |
|
180 |
-
To execute the tests, `cd` into
|
|
|
181 |
|
182 |
Please note that the tests make extensive use of database transactions.
|
183 |
Many tests will be skipped if your `wp_options` and `wp_usermeta` tables
|
@@ -204,6 +207,9 @@ Ask and ye shall receive.
|
|
204 |
|
205 |
== Changelog ==
|
206 |
|
|
|
|
|
|
|
207 |
= 0.0.4 =
|
208 |
* Initial import to `plugins.svn.wordpress.org`.
|
209 |
|
@@ -243,17 +249,17 @@ Select `login-security-solution` in the "Component" list.
|
|
243 |
== Inspiration and References ==
|
244 |
|
245 |
* Password Research
|
246 |
-
+ [You can never have too many passwords: techniques for evaluating a huge corpus](http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-evaluating_a_huge_password_corpus.pdf)
|
247 |
-
+ [Analyzing Password Strength](http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf)
|
248 |
-
+ [Consumer Password Worst Practices](http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf)
|
249 |
-
+ [Preventing Brute Force Attacks on your Web Login](http://www.bryanrite.com/preventing-brute-force-attacks-on-your-web-login/)
|
250 |
-
+ [Password Strength](http://xkcd.com/936/)
|
251 |
|
252 |
* Technical Info
|
253 |
-
+ [The Extreme UTF-8 Table](http://doc.infosnel.nl/extreme_utf-8.html)
|
254 |
-
+ [A Recommendation for IPv6 Address Text Representation](http://tools.ietf.org/html/rfc5952)
|
255 |
|
256 |
* Password Lists
|
257 |
-
+ [Dazzlepod Password List](http://dazzlepod.com/site_media/txt/passwords.txt)
|
258 |
-
+ [Common Passwords](http://www.searchlores.org/commonpass1.htm)
|
259 |
-
+ [The Top 500 Worst Passwords of All Time](http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time)
|
10 |
== Description ==
|
11 |
|
12 |
* Blocks brute force and dictionary attacks without inconveniencing
|
13 |
+
legitimate users or administrators
|
14 |
+ Tracks IP addresses, usernames, and passwords
|
15 |
+ If a login failure uses data matching a past failure, the plugin
|
16 |
slows down response times. The more failures, the longer the delay.
|
35 |
+ Non-sequential keystrokes (custom sequence files can be added)
|
36 |
+ Not in the password dictionary files you've provided (if any)
|
37 |
+ Decodes "leet" speak
|
38 |
+
+ The password/phrase is not found by the `dict` dictionary
|
39 |
+
program (if available)
|
40 |
|
41 |
+
* Password aging (optional) (not recommended)
|
42 |
+ Users need to change password every x days (customizable)
|
43 |
+ Grace period for picking a new password (customizable)
|
44 |
+ Remembers old passwords (quantity is customizable)
|
63 |
= Improvements Over Similar WordPress Plugins =
|
64 |
|
65 |
* The plugin itself is secure against SQL, HTML, and header injections
|
66 |
+
* Notice-free code means no information disclosures if `display_errors`
|
67 |
+
is on and `error_reporting` includes `E_NOTICE`
|
68 |
* Only loads files, actions, and filters needed for enabled options
|
69 |
and the page's context
|
70 |
* Provides an option to have deactivation remove all of this plugin's
|
81 |
You're probably thinking "There's nothing valuable on my website. No one
|
82 |
will bother breaking into it." What you need to realize is that attackers
|
83 |
are going after your visitors. They put stealth code on your website
|
84 |
+
that pushes malware into your readers' browsers.
|
85 |
|
86 |
> According to SophosLabs more than 30,000 websites are infected
|
87 |
> every day and 80% of those infected sites are legitimate.
|
92 |
> -- [*Security Threat Report 2012*](http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-08.aspx)
|
93 |
|
94 |
So if your site does get cracked, not only do you waste hours cleaning up,
|
95 |
+
your reputation gets sullied, security software flags your site as dangerous,
|
96 |
and worst of all, you've inadvertently helped infect the computers of your
|
97 |
clients and friends.
|
98 |
|
100 |
== Installation ==
|
101 |
|
102 |
1. Download the package
|
103 |
+
from `http://wordpress.org/extend/plugins/login-security-solution/`
|
104 |
|
105 |
1. Unzip the file.
|
106 |
|
179 |
a working WordPress installation. The plugin does not need to be
|
180 |
activated for the tests to run.
|
181 |
|
182 |
+
To execute the tests, `cd` into this plugin's directory and
|
183 |
+
call `phpunit tests` .
|
184 |
|
185 |
Please note that the tests make extensive use of database transactions.
|
186 |
Many tests will be skipped if your `wp_options` and `wp_usermeta` tables
|
207 |
|
208 |
== Changelog ==
|
209 |
|
210 |
+
= 0.1.0 =
|
211 |
+
* Beta release.
|
212 |
+
|
213 |
= 0.0.4 =
|
214 |
* Initial import to `plugins.svn.wordpress.org`.
|
215 |
|
249 |
== Inspiration and References ==
|
250 |
|
251 |
* Password Research
|
252 |
+
+ [You can never have too many passwords: techniques for evaluating a huge corpus](http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-evaluating_a_huge_password_corpus.pdf), Joseph Bonneau
|
253 |
+
+ [Analyzing Password Strength](http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf), Martin_Devillers
|
254 |
+
+ [Consumer Password Worst Practices](http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf), Imperva
|
255 |
+
+ [Preventing Brute Force Attacks on your Web Login](http://www.bryanrite.com/preventing-brute-force-attacks-on-your-web-login/), Bryan Rite
|
256 |
+
+ [Password Strength](http://xkcd.com/936/), Randall Munroe
|
257 |
|
258 |
* Technical Info
|
259 |
+
+ [The Extreme UTF-8 Table](http://doc.infosnel.nl/extreme_utf-8.html), infosnel.nl
|
260 |
+
+ [A Recommendation for IPv6 Address Text Representation](http://tools.ietf.org/html/rfc5952), Seiichi Kawamura and Masanobu Kawashima
|
261 |
|
262 |
* Password Lists
|
263 |
+
+ [Dazzlepod Password List](http://dazzlepod.com/site_media/txt/passwords.txt), Dazzlepod
|
264 |
+
+ [Common Passwords](http://www.searchlores.org/commonpass1.htm), Fravia
|
265 |
+
+ [The Top 500 Worst Passwords of All Time](http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time), Mark Burnett
|