Semisecure Login

UPDATE [2009-04-01]: As you are possibly aware, Semisecure Login has not functioned with a stock WordPress install since before version 2.5. Moggy has created a new plugin (called Semisecure Login Reimagined) which is available for download here. You can check out his blog post about it for more information. This page is being kept merely for historical purposes (I’m a bit of a packrat).

 

The Semisecure Login plugin for WordPress increases the security of the login process by using client-side MD5 encryption on the password when a user logs in. JavaScript is required to enable encryption. When JavaScript is not available, the password is transmitted in plaintext (as normal), but authentication still completes in this case.

It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Background

In setting up this new site, I encountered what I considered to be a bit of a shortcoming in the stock WordPress system – virtually no security against replay attacks in the admin system. I guess that the authors assume some sort of SSL encryption being available if you want to prevent your website from being hijacked (or else limiting admin access based on IP, which is less-than-desirable).

As I am too cheap cost-conscious to have a dedicated IP and SSL cert for my personal site, I thought of a couple options for allowing the convenience of logging on anywhere while still protecting my password.

  1. Create some sort of web-based tunnel. Not particularly feasible without having some SSL certificate/dedicated IP elsewhere, which just moves the problem instead of addressing it.
  2. Use JavaScript to one-way encrypt the password on-the-fly. This requires JavaScript to ensure proper security, but hey, it’s hard to have your cake and eat it too.

I opted for the second solution. I thought to myself, “Surely there exists a plugin for this already? Don’t thousands of users have blogs on non-SSL servers and need some form of protection?” Lo and behold, not more than a few weeks ago, Enrico Rossomando created a plugin that served a very similar purpose! “Well, this is perfect!” I thought to myself. I installed it as directed, and set to testing it out.

Unfortunately, it wasn’t perfect in my mind. In the event JavaScript was disabled, it failed miserably, with no indicators that JavaScript was required (this goes against the high emphasis I place on gracefully degrading code). I took a look at the code, and was a bit surprised at the methods it was using to perform the authentication. Also, the password field was being modified as it was sent, which caused extra characters appearing before the form was redirected. I decided I could meet my needs better with my own code, and thus it was that I plunged into the world of WordPress plugin creation.

Download

Click here to download the plugin at the official WordPress page. Installation instructions and a Changelog are there as well.

Questions/Comments?

Leave ’em below!

18 Comments

  1. Hi James 🙂

    I get two errors:

    Warning: session_start() [function.session-start]: Cannot send session cookie – headers already sent by (output started at /……/wp-login.php:30) in /…/wp-content/plugins/semisecure-login/semisecure-login.php on line 43

    and

    Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /…/wp-login.php:30) in /…/wp-content/plugins/semisecure-login/semisecure-login.php on line 43

    the plugin seems to work

    I use wp 2.2.1 in italian.

    Do you know a way to fix it?

  2. @arquimede: I’ve updated a change that suppresses that warning. Out of curiosity, what version of PHP are you running, and what other plugins are you using? I assume that I don’t get this error because I have output buffering enabled somewhere – perhaps this is a setting in my php.ini that I didn’t realize was set.

  3. php 4.4.2, I have downloaded the last update of Semisecure login (1.03) right now, and it does display no more warnings

    I have tested it with wp 2.3 and wp MU 1.2.5 (should be PHP 5.2.3 for both of them) and it does not display any error message

    Thanx a lot for the fixing 🙂

  4. Hi James..
    I’m a sort of Enrico’s friend. I used to be the tester of the plugin on my site, and then when I encountered problems i told them to Enrico.
    Personally, I find your suggestions very useful, expecially when you talk about user-friendly code: to be honest, when he first developed the plugin, he only wanted to write a plugin that worked. No matter about users and all the rest.

    Surely, when I see your solution (When I registered on wordpress I noticed the changes) I appreciate the kind of communication you use.

    Only one question: have you also changed the core code – the part that really transformes the password?

    Thanks in advance! Michele

  5. well, maybe you have written a completely new plugin / not based on enrico’s idea? can’t understand… tomorrow I’ll try it.

    Michele

  6. @Musikele: The part that “changes” the password has changed in a few ways. First of all, the “salt” that is added to the password before it is encrypted is pulled from a larger pool of “potential salts.” Also, I force the salt to be changed after each potential use, preventing the same “encoded” password to be used twice in a row. Enrico’s version only changed the salt when a user logged out. Also, I use different hooks to accomplish similar purposes, which I feel are more in line with “standard WordPress practices.” I still use the exact same md5 JavaScript functions that were used in Enrico’s plugin (copyright Paul Johnston), but I pretty much rewrote the entire core, “inspired” in a way by Enrico’s work.

    I hope that answers your question – if you had any other specific questions or concerns, please let me know!

  7. Hi, I recently downloaded version 1.0.3 and installed it to WordPress 2.3.1.
    It works ok but there is one problem…I have to log in twice. Everytime I access the admin page it always gives me a wrong password the first time and then it works the second time, can you see any reason for this? Thanks.

  8. @eb001: I’m using version 1.0.3 on WordPress 2.3.2, and I don’t see the behavior that you’re describing. Do you have any other login/session management plugins? What URL are you using to access the login page? What browser are you using (it may be JavaScript-related)?

  9. I am also using the wp-password plugin, do you think there is a conflict?
    It happens with every browser I’ve tried (IE7, Firefox, Opera).

  10. I too have to login twice when I first view my login form (no session maybe?) and the “remember me” also doesn’t work. I’m using Firefox 2.0.0.12.

    The double login even happens here on this blog.

    The no remember me is due to the plugin’s usage of wp_setcookie() without the remember me tag in place I think.

  11. Having a strange problem where, when using Firefox 3 beta 5, when I try to login to my blog it tells me the password is incorrect. It doesn’t show any error message, except for saying ‘incorrect password’. I can still log in via internet explorer, but just not with firefox. I’m using wordpress 2.5 on my blog. It doesn’t happen when I login here to post a comment (looks like you’re running 2.3.1) so seems to be a problem with firefox and 2.5…

  12. Hi!

    I am having the exact same problem as the previous poster. I cannot log in using Firefox 2.0.0.14. Luckily, IE indeed works, so I was able to use it to deactivate the plugin.

  13. I also have to login twice, as Viper007Bond and eb001 do. I use WordPress 2.3.3 and Firefox. Any ideas to solve this? Thanks for such a useful plugin.

  14. If anyone’s interested, I’ve fixed this plugin for WordPress 2.5.

    2.5 introduced a new hashing scheme and deprecated the hook this plugin was relying on. There’s a new hook (check_password) that can be used for the same purpose. Hashing was trickier, but rather than try to recreate phpass() in Javascript, I used the MD5 Password Hashes plugin for 2.5 to revert to the legacy behavior. My fix is dependent on that plugin. In any case, I think transmitting a password in plain text across a network is a far more serious security risk, so I’m happy to trade down to MD5 in exchange for fixing that.

    My fix restores the plugin’s functionality for 2.5, including the very nice behavior of graceful degradation in the absence of client-side Javascript. Anyone interested?

  15. First time trying this plugin but it seems to be broken in WP-2.7
    Same as previous posts- when enabled getting invalid passwd
    Doesn’t seem to be browser dependent, tried on both Opera and Firefox.
    Hope this can be fixed JMA – this looks like a valuable plugin. thanks.

Leave a Reply to Viper007BondCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.