Login Security Solution - Version 0.1.0

Version Description

  • Beta release.
Download this release

Release Info

Developer convissor
Plugin Icon wp plugin Login Security Solution
Version 0.1.0
Comparing to
See all releases

Code changes from version 0.0.4 to 0.1.0

Files changed (2) hide show
  1. login-security-solution.php +4 -1
  2. readme.txt +24 -18
login-security-solution.php CHANGED
@@ -6,7 +6,7 @@
6
  * Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
7
  *
8
  * Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
9
- * Version: 0.0.4
10
  * Author: Daniel Convissor
11
  * Author URI: http://www.analysisandsolutions.com/
12
  * License: GPLv2
@@ -1220,6 +1220,9 @@ class login_security_solution {
1220
  $prior = array_shift($chars);
1221
  $transitions = 0;
1222
  foreach ($chars as $char) {
 
 
 
1223
  if (abs( hexdec(bin2hex($char)) - hexdec(bin2hex($prior)) ) > 2) {
1224
  $transitions++;
1225
  }
6
  * Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
7
  *
8
  * Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
9
+ * Version: 0.1.0
10
  * Author: Daniel Convissor
11
  * Author URI: http://www.analysisandsolutions.com/
12
  * License: GPLv2
1220
  $prior = array_shift($chars);
1221
  $transitions = 0;
1222
  foreach ($chars as $char) {
1223
+ // Use "> 2" because some alphabets have the upper and lower case
1224
+ // of a letter next to each other, so the next letter in the same
1225
+ // case is two points away.
1226
  if (abs( hexdec(bin2hex($char)) - hexdec(bin2hex($prior)) ) > 2) {
1227
  $transitions++;
1228
  }
readme.txt CHANGED
@@ -10,7 +10,7 @@ Repels brute force attacks (by IP, name, password). Requires very strong passwor
10
  == Description ==
11
 
12
  * Blocks brute force and dictionary attacks without inconveniencing
13
- legitimate users
14
  + Tracks IP addresses, usernames, and passwords
15
  + If a login failure uses data matching a past failure, the plugin
16
  slows down response times. The more failures, the longer the delay.
@@ -35,9 +35,10 @@ The tests have caught every password dictionary entry I've tried.
35
  + Non-sequential keystrokes (custom sequence files can be added)
36
  + Not in the password dictionary files you've provided (if any)
37
  + Decodes "leet" speak
38
- + Not found by the `dict` dictionary program (if available)
 
39
 
40
- * Password aging (optional)
41
  + Users need to change password every x days (customizable)
42
  + Grace period for picking a new password (customizable)
43
  + Remembers old passwords (quantity is customizable)
@@ -62,7 +63,8 @@ The tests have caught every password dictionary entry I've tried.
62
  = Improvements Over Similar WordPress Plugins =
63
 
64
  * The plugin itself is secure against SQL, HTML, and header injections
65
- * Notice-free code means no information disclosures if error_reporting = E_ALL
 
66
  * Only loads files, actions, and filters needed for enabled options
67
  and the page's context
68
  * Provides an option to have deactivation remove all of this plugin's
@@ -79,7 +81,7 @@ The tests have caught every password dictionary entry I've tried.
79
  You're probably thinking "There's nothing valuable on my website. No one
80
  will bother breaking into it." What you need to realize is that attackers
81
  are going after your visitors. They put stealth code on your website
82
- that pushes malware into the browsers of the people looking at your site.
83
 
84
  > According to SophosLabs more than 30,000 websites are infected
85
  > every day and 80% of those infected sites are legitimate.
@@ -90,7 +92,7 @@ that pushes malware into the browsers of the people looking at your site.
90
  > -- [*Security Threat Report 2012*](http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-08.aspx)
91
 
92
  So if your site does get cracked, not only do you waste hours cleaning up,
93
- your reputation is sullied, security software flags your site as dangerous,
94
  and worst of all, you've inadvertently helped infect the computers of your
95
  clients and friends.
96
 
@@ -98,7 +100,7 @@ clients and friends.
98
  == Installation ==
99
 
100
  1. Download the package
101
- from `http://wordpress.org/extend/plugins/login-security-solution/`
102
 
103
  1. Unzip the file.
104
 
@@ -177,7 +179,8 @@ The plugin needs to be placed in the `wp-contents/plugins` directory of
177
  a working WordPress installation. The plugin does not need to be
178
  activated for the tests to run.
179
 
180
- To execute the tests, `cd` into the `tests` directory and call `phpunit .`.
 
181
 
182
  Please note that the tests make extensive use of database transactions.
183
  Many tests will be skipped if your `wp_options` and `wp_usermeta` tables
@@ -204,6 +207,9 @@ Ask and ye shall receive.
204
 
205
  == Changelog ==
206
 
 
 
 
207
  = 0.0.4 =
208
  * Initial import to `plugins.svn.wordpress.org`.
209
 
@@ -243,17 +249,17 @@ Select `login-security-solution` in the "Component" list.
243
  == Inspiration and References ==
244
 
245
  * Password Research
246
- + [You can never have too many passwords: techniques for evaluating a huge corpus](http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-evaluating_a_huge_password_corpus.pdf)
247
- + [Analyzing Password Strength](http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf)
248
- + [Consumer Password Worst Practices](http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf)
249
- + [Preventing Brute Force Attacks on your Web Login](http://www.bryanrite.com/preventing-brute-force-attacks-on-your-web-login/)
250
- + [Password Strength](http://xkcd.com/936/)
251
 
252
  * Technical Info
253
- + [The Extreme UTF-8 Table](http://doc.infosnel.nl/extreme_utf-8.html)
254
- + [A Recommendation for IPv6 Address Text Representation](http://tools.ietf.org/html/rfc5952)
255
 
256
  * Password Lists
257
- + [Dazzlepod Password List](http://dazzlepod.com/site_media/txt/passwords.txt)
258
- + [Common Passwords](http://www.searchlores.org/commonpass1.htm)
259
- + [The Top 500 Worst Passwords of All Time](http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time)
10
  == Description ==
11
 
12
  * Blocks brute force and dictionary attacks without inconveniencing
13
+ legitimate users or administrators
14
  + Tracks IP addresses, usernames, and passwords
15
  + If a login failure uses data matching a past failure, the plugin
16
  slows down response times. The more failures, the longer the delay.
35
  + Non-sequential keystrokes (custom sequence files can be added)
36
  + Not in the password dictionary files you've provided (if any)
37
  + Decodes "leet" speak
38
+ + The password/phrase is not found by the `dict` dictionary
39
+ program (if available)
40
 
41
+ * Password aging (optional) (not recommended)
42
  + Users need to change password every x days (customizable)
43
  + Grace period for picking a new password (customizable)
44
  + Remembers old passwords (quantity is customizable)
63
  = Improvements Over Similar WordPress Plugins =
64
 
65
  * The plugin itself is secure against SQL, HTML, and header injections
66
+ * Notice-free code means no information disclosures if `display_errors`
67
+ is on and `error_reporting` includes `E_NOTICE`
68
  * Only loads files, actions, and filters needed for enabled options
69
  and the page's context
70
  * Provides an option to have deactivation remove all of this plugin's
81
  You're probably thinking "There's nothing valuable on my website. No one
82
  will bother breaking into it." What you need to realize is that attackers
83
  are going after your visitors. They put stealth code on your website
84
+ that pushes malware into your readers' browsers.
85
 
86
  > According to SophosLabs more than 30,000 websites are infected
87
  > every day and 80% of those infected sites are legitimate.
92
  > -- [*Security Threat Report 2012*](http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-08.aspx)
93
 
94
  So if your site does get cracked, not only do you waste hours cleaning up,
95
+ your reputation gets sullied, security software flags your site as dangerous,
96
  and worst of all, you've inadvertently helped infect the computers of your
97
  clients and friends.
98
 
100
  == Installation ==
101
 
102
  1. Download the package
103
+ from `http://wordpress.org/extend/plugins/login-security-solution/`
104
 
105
  1. Unzip the file.
106
 
179
  a working WordPress installation. The plugin does not need to be
180
  activated for the tests to run.
181
 
182
+ To execute the tests, `cd` into this plugin's directory and
183
+ call `phpunit tests` .
184
 
185
  Please note that the tests make extensive use of database transactions.
186
  Many tests will be skipped if your `wp_options` and `wp_usermeta` tables
207
 
208
  == Changelog ==
209
 
210
+ = 0.1.0 =
211
+ * Beta release.
212
+
213
  = 0.0.4 =
214
  * Initial import to `plugins.svn.wordpress.org`.
215
 
249
  == Inspiration and References ==
250
 
251
  * Password Research
252
+ + [You can never have too many passwords: techniques for evaluating a huge corpus](http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-evaluating_a_huge_password_corpus.pdf), Joseph Bonneau
253
+ + [Analyzing Password Strength](http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf), Martin_Devillers
254
+ + [Consumer Password Worst Practices](http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf), Imperva
255
+ + [Preventing Brute Force Attacks on your Web Login](http://www.bryanrite.com/preventing-brute-force-attacks-on-your-web-login/), Bryan Rite
256
+ + [Password Strength](http://xkcd.com/936/), Randall Munroe
257
 
258
  * Technical Info
259
+ + [The Extreme UTF-8 Table](http://doc.infosnel.nl/extreme_utf-8.html), infosnel.nl
260
+ + [A Recommendation for IPv6 Address Text Representation](http://tools.ietf.org/html/rfc5952), Seiichi Kawamura and Masanobu Kawashima
261
 
262
  * Password Lists
263
+ + [Dazzlepod Password List](http://dazzlepod.com/site_media/txt/passwords.txt), Dazzlepod
264
+ + [Common Passwords](http://www.searchlores.org/commonpass1.htm), Fravia
265
+ + [The Top 500 Worst Passwords of All Time](http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time), Mark Burnett