內容簡介
禁止使用被黑客攻破的密碼的 WordPress 和 WooCommerce 使用者。
目標
劇透:使用者密碼永遠不會以任何方式離開您的伺服器,甚至不是以雜湊形式。
儘管重複使用密碼僅是使用者自己的錯,但當邪惡的攻擊者暴力破解用戶密碼並窃取所有個人信息,或通過您的網站花費用戶辛苦賺來的錢時,那些懶惰的使用者就會指責您,作為網站擁有者/開發人員。
當處理確立和更改記憶的秘密的請求時,驗證者必須將可能秘密與包含已知為常用、預期或受損的值的列表進行比較。例如,...
先前的違反公司所獲得的密碼
— NIST數字身份指南
這個外掛的唯一目的是禁止 WordPress 和 WooCommerce 使用者重複使用在Have I Been Pwned資料庫中列出的密碼。
用法
啟用並忘卻。
當以下情況發生時,此外掛程式會攔截:
在/wp-admin/user-new.php上建立新使用者時
在/wp-admin/user-edit.php上更改其他使用者的密碼時
在/wp-admin/profile.php上更改您的密碼時
在/wp-login.php?action=rp上進行新用戶註冊
如果安裝了 WooCommerce,還會有其他攔截:
在Home » 我的帳戶 » 忘記密碼上的WC_Form_Handler::process_reset_password
在Home » 我的帳戶 » 帳戶詳情上的WC_Form_Handler::save_account_details
在Home » 我的帳戶上的WC_Form_Handler::process_registration
在Home » 結帳上的WC_Checkout::validate_checkout
用五歲小孩能夠理解的方式解釋
知名的安全專家特洛伊·亨特收集了6,493,641,194(還在不斷增加)個被黑客攻破的密碼
被攻破的密碼儲存在以SHA-1雜湊方式儲存之下,位於 haveibeenpwned.com 上
每當 WordPress/WooCommerce 使用者試圖更改其密碼時,此外掛程式會將使用者密碼進行雜湊處理
取出雜湊串中的前五個字符
要求 haveibeenpwned.com 提供所有具有相同前五個字符的被黑客攻破的密碼
檢查使用者密碼在 have I been pwned 資料庫中出現了多少次
如果已被黑客攻破,則禁止更改密碼
年紀大於五歲的使用者可以從以下查詢更多信息:
Have I Been Pwned's FAQs
為什麼在「被黑客攻破的密碼」中選擇了 SHA-1
我(Troy Hunt)只是推出了「被黑客攻破的密碼」V2 內含五億個可供下載的密碼
外掛標籤
開發者團隊
原文外掛簡介
Disallow WordPress and WooCommerce users using pwned passwords.
Goal
Spoiler Alert: User passwords never leave your server, not even in hashed form.
Although reusing passwords is solely users’ fault but when evil attackers brute forced users’ passwords, and stole all their personal information or spent users’ hard earn money through your site. Those lazy users blame you, the site owner/developer.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,…
Passwords obtained from previous breach corpuses
— NIST Digital Identity Guidelines
This plugin’s solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.
Usage
Activate and forget.
This plugin intercepts when:
creating new users on /wp-admin/user-new.php
changing other users’ passwords on /wp-admin/user-edit.php
changing your password on /wp-admin/profile.php
new user registration on /wp-login.php?action=rp
Additional interceptions if WooCommerce is installed:
WC_Form_Handler::process_reset_password on Home » My account » Lost password
WC_Form_Handler::save_account_details on Home » My account » Account details
WC_Form_Handler::process_registration on Home » My account
WC_Checkout::validate_checkout on Home » Checkout
Explain It Like I’m Five
Troy Hunt, a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches
Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com
Whenever WordPress / WooCommerce users attempt to change their passwords, this plugin hashes the user password
Take the first 5 characters from the hash
Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters
Check how many times the user password appears on the have I been pwned database
Disallow the password change if it has been pwned
Users aged older than five could learn more from:
Have I Been Pwned’s FAQs
Why SHA-1 was chosen in the Pwned Passwords
I’ve [Troy Hunt] Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download
Validating Leaked Passwords with k-Anonymity
For Developers
Fork the plugin on GitHub.
