Extension:SecurePasswords

From MediaWiki.org

Manual on MediaWiki Extensions
List of MediaWiki Extensions

SecurePasswords Release status: beta
Implementation	User identity
Description	Creates more secure password hashes in the database as well as a password strength checker
Author(s)	Ryan Schmidt
Last Version	2.0
MediaWiki	1.16.0+
License	None (Public Domain)
Download	Download snapshot Subversion [Help] Browse source code
Parameters $wgValidPasswords, $wgSecurePasswordsSpecialChars, $wgSecurePasswordsSecretKeys
Hooks used UserCryptPassword UserComparePasswords isValidPassword NormalizeMessageKey
check usage (experimental)

[edit] What can this extension do?

SecurePasswords is currently the only MediaWiki extension that can provide peace of mind to wiki owners that their wiki accounts are secure. It combines secure, uncrackable password hashes^[1] with a configurable set of options to enforce when setting new passwords to ensure that user accounts do not fall victim to random password-cracking attempts.

From the front-end, you can enforce security policies on passwords by configuring the $wgValidPasswords variable:

• Enforce a minimum password length to deter brute force attacks
• Enforce that passwords need to contain a mixture of lowercase, uppercase, digits, and symbols (or any combination of the four that you see fit)
• Enforce that the password cannot be the same as the username
• Enforce that the password cannot be a word or a combination of words in the Dictionary^[2]
• And many more features, including password expiration, coming soon

From the back-end, you can rest assured knowing that only hashing algorithms that have not been cracked or that would require an infeasible amount of effort to crack were selected in hashing the passwords. To ensure extra security, the hashes use the HMAC format, which requires a secret key in order to replicate or crack the hash. To top it off, SecurePasswords hashes the password not once, but twice using yet another secure hash in HMAC format (both hashes chosen are random, but guaranteed to be secure, and they each use different secret keys). Then, the hash is encrypted using yet another secret key before finally being stored in the database in binary format. For those keeping track, that's over five layers of security governing the password hash stored in the database, which ensures that even in the event of a database leak, there is no way that an attacker can steal someone's credentials on the wiki.

[edit] Prerequisites

Before installing this extension, make sure that the following PHP extensions are installed. This extension will not work without them:

• mcrypt
• zlib

In addition, it is also recommended that you install the following PHP extension as well in order to enable additional functionality (although it is not required):

• pspell - allows checking passwords against a dictionary

[edit] Installation

To install this extension, unpack the extension to /extensions (it should create a new directory called SecurePasswords).

Then, execute the securepasswords.sql file either via the sql.php maintenance script or directly into MySQL (be sure to add the correct prefix to the tables if doing the latter). This will expand the password fields in the user table to allow more characters to be stored into them (otherwise most of the hashes will be truncated, which means your users will not be able to log in)

Finally, add the following near the end of your LocalSettings.php file:

require_once("$IP/extensions/SecurePasswords/SecurePasswords.php");
$wgSecurePasswordsSecretKeys = array(
	//see below for what should go here
);

[edit] Configuration parameters

$wgValidPasswords is an associative array of what to check for when validating new passwords. The default values and descriptions are below:

$wgValidPasswords = array(
	'minlength' => $wgMinimalPasswordLength, #Minimum password length, should be at least 8 for decent security
	'lowercase' => true, #Should we require at least one lowercase letter?
	'uppercase' => true, #Should we require at least one uppercase letter?
	'digit'     => true, #Should we require at least one digit?
	'special'   => false, #Should we require at least one special character (punctuation, etc.)?
	'usercheck' => true, #Should we disallow passwords that are the same as the username?
	'wordcheck' => function_exists( 'pspell_check' ), #Should we check the password against a dictionary to make sure that it is not a word?
);

$wgSecurePasswordsSpecialChars is a character class of special characters checked for if 'special' is true in $wgValidPasswords. Characters that have special meanings in regular expressions must be escaped with "\". The default value is below:

$wgSecurePasswordSpecialChars = '.|\/!@#$%^&*\(\)-_=+\[\]{}`~,<>?\'";: '; # Character class of special characters for a regex

$wgSecurePasswordsSecretKeys is an array of three secret keys to be used when hashing passwords. These keys, once set, should never be changed and should never be shared with anyone, as they are used when hashing and encrypting the password hashes. An example value is below:

$wgSecurePasswordsSecretKeys = array(
	//these MUST be changed to something else
	//the keys here were generated via a SHA256-like algorithm, but in reality they can be anything
	'18c28f495efb5f9979fe56beff1b06fa28bec9acb556464e8398707ad97e8d86',
	'0e28c432fcd738f3b1a440a2bd788fa420788b27ee991411d9093618a9650215',
	'2334526ba0b3bfe77aa985c067a20f1e7edf7ba66ae6505b4066ca7ad2b75be4'
);

[edit] Caveats

• Passwords hashed without this extension and current passwords that do not meet the strength criteria will still work, but this extension will make no effort to contact these users to change their passwords to take advantage of the new security.
• The message override to explain the restrictions is an utter hack. As such, changes you make to MediaWiki:Securepasswords-password might or might not work (I'm not entirely sure).
• Changing $wgSecurePasswordsSecretKeys after it has been set up will render every old hash using the old secret keys useless, so don't change the keys unless you absolutely must.

[edit] Changelog

Version 2.0

Refactor code to no longer depend on $wgSecretKey. In addition, the dependencies on mcrypt and zlib are now required, and only strong hash types (in hmac format) are used to hash passwords. Backwards-compatibility with version 1.x maintained. Now beta.

Version 1.1

Removed the 'maxlength' parameter to $wgValidPasswords, moved the special characters into a global, overrides the default "Invalid password" message with a custom one explaining the restrictions (albeit in an utterly-hacked way).

Version 1.0

Initial version. Experimental.

[edit] Footnotes

1. ↑ unless you share your secret keys, in which case they will be significantly less secure
2. ↑ Requires the "pspell" extension for PHP, listed in #Prerequisites