A reimagining of WordPress authentication using modern security practices.
|Author:||Carl Alexander (profile at wordpress.org)|
|WordPress version required:||4.8.0|
|WordPress version tested:||4.9.5|
|Added to WordPress repository:||02-03-2018|
Click to start download
Wait so are you sending my password to a 3rd party!?
No, the plugin never sends your full password to a 3rd party for verification. The plugin only sends the first five characters of the SHA-1 hashed password to a 3rd party. The 3rd party then sends back all passwords with a hash that starts with those five characters.
The plugin then handles the rest of the password validation itself. It compares the SHA-1 hashed version of your password to the passwords returned by the 3rd party. We call this process k-anonymity. (You can read more about validating leaked passwords with it here.)
- Fixed missing
settings_savedstring in English translation [carlalexander]
- Added missing echo when translating
- Added Brazilian Portuguese translation [celsobessa]
- Reworked how the plugin handles its default translation [carlalexander]
Improved how the API client and password generator handled if the API was online or not.
Reworked plugin to use the new version of the HIBP API (Have I been pwned? API) which supports k-anonymity. This allows the plugin to be used in production now.