Thursday 03 December 2015 by

Sending passwords via email in cleartext hasn’t been cool since about 1971, so Textpattern 4.6.0 (finally!) changes that.

To the best of my knowledge, Textpattern has never stored plaintext user passwords in its database, so we would likely miss out on a mention in PlainTextOffenders. But the system does send out registration and reset request passwords by email, which is ropey security practice because your email’s more than likely stored on someone else’s server.

When it comes to resetting forgotten passwords, no automated system is truly secure. There needs to be some time window to allow you to make such a change, but that leaves an open opportunity for someone wishing to gain unauthorised access to the system. So the trick is to:

  • make it cryptographically difficult to fake the requests; and
  • keep the time before the request expires fairly short

Textpattern 4.6.0 now does this, and more. Below are presented the various workflows as they happen now.

Adding an author: account activation

Instead of being sent the login name and (temporary, pseudo-random character) password via the welcome email, you are now sent your login name and a link comprising a loooooong sequence of random characters, called a token.

Provided your hosting environment is up to the task, this token is cryptographically secure and totally random, thus very difficult to guess or fake. If your host is cryptographically challenged, it’ll fall back on a similar underlying password generation scheme to the one we have in 4.5.x, though the password is longer, from a broader set of characters, hashed (passed through a one-way algorithm) and salted (random characters added) before being let out, so it’s still fairly secure.

When following the link, the new author is greeted with a login-style screen which prompts for a new password to be supplied. As each character is typed, a strength meter provides feedback on the estimated quality of the password. Everyone should be aiming for strong! There’s also a checkbox that allows the password to be temporarily unmasked for verification of what has been typed. This is a convenience to avoid having to enter the same password into two masked boxes, and in no way compromises the security of the stored password, which is always encrypted.

When the chosen password is submitted, Textpattern verifies the token is a) valid for the given author name, and b) within date, then sets the password and returns to the login prompt, sending an email to the new author in the process, with a link to the admin side.

By default, authors have a week to respond to activation requests, but this can be changed in your config.php by setting a number of hours in an ACTIVATION_EXPIRY_HOURS definition.

As an administrator, you may use the Admin->Users multi-edit tool to send another ‘welcome’ activation link in the event your author doesn’t respond in time.

Resetting a forgotten password

Just as in 4.5.x, supply your username and you will be sent a reset link. But this is a far stronger link than in prior versions of Textpattern for two reasons:

  • It is cryptographically strong (providing your host supports true randomness: see above).
  • It does not leak your username.

In versions prior to 4.6.0, your username was provided in the link as an easily reversible sequence of ASCII digits. Now, a single-use, unique, secure selector is generated to refer to your account and that is added to the link instead. This way, user ids and login names are never revealed.

Following the link will result in a ‘Set password’ box being shown, similar to the one that new authors see when setting a password for the first time (see above). You type a new password and have a strength meter and the ability to temporarily unmask the password for verifying what you typed.

Upon submission, the token is validated and your password is set. A confirmation email is sent out informing you that the password has changed, but the password itself is not mailed.

By default you have twenty ninety minutes to respond to a reset request before it expires. This can be altered in your config.php using something like this:

define('RESET_EXPIRY_MINUTES', '240');

Changing your own password from the admin side

Very little has changed here. The only differences are:

  • You are asked for your old password in case you’ve left yourself logged in or your session was validated via a cookie.
  • You are shown a password strength meter as standard on the new password box.
  • The checkbox that used to say “Mail it to me” is now gone, replaced instead with the ability to unmask the password for verification of what you’ve just typed.

Passwords during setup

When first installing Textpattern, the MySQL password box is masked (with the ability to unmask), and likewise with the password box for your initial admin user. The latter also has a strength meter attached to it. No excuses for rubbish passwords any more!

Behind the scenes tech

For those with a curious mindset who don’t read code, here are some technical details on what’s going on backstage:

  • A new txp_token table has been introduced which keeps track of activation and reset tokens. This is generic and openly available for plugin developers to use. Plugin authors have traditionally resorted to using their own tables or abusing the txp_discuss_nonce table. This is no longer necessary as the new, dedicated table is better suited to the task.
  • The cryptographic algorithm used by default to hash tokens has been upgraded from the (broken) md5 to ripemd256. If you wish to alter this, by all means change it in your config.php by setting the HASHING_ALGORITHM definition to one of the values supported by PHP.
  • Random salts to strengthen the hashes are generated using the above algorithm, and their length is determined by another value you can alter in config.php. Tinker with SALT_LENGTH to change this from its default of 64.
  • Activation and reset tokens are not validated immediately on first page visit. This is by design so any attackers must first submit a password value and wait for the short delay before the token is validated, which slows single-threaded brute force attacks against tokens.
  • Tokens auto-expire because they are tied to the login nonce and existing password. So if either the password changes or the account is used to log in, all tokens will automatically become invalid. Regardless, in most cases, whenever a new token is generated, old ones for that same user are flushed from the database.
  • The strength meter is provided by zxcvbn. This excellent library employs common sense rules on passwords, deeming that a long password made up of four or more unrelated words is better than a shorter one with letters replaced as numbers or symbols that satisfy arbitrary criteria.
  • When an author account is created, a secure temporary password is generated, hashed and the original discarded so there is no record of it remaining. This prevents access to an inactive account via an empty password.
  • Other places where md5() is used for sensitive information (e.g. the login cookie nonces) will be phased out in due course.
  • The old functions for mailing out passwords are deprecated and will be removed in a future version.

The new functionality will be landing in the master branch very soon, so please take it for a test drive and report your findings. We hope you and your clients enjoy the more security-conscious Textpattern experience.