[wp-trac] [WordPress Trac] #25810: Add nonce to wp-login.php

WordPress Trac noreply at wordpress.org
Wed Nov 13 04:41:43 UTC 2013 

#25810: Add nonce to wp-login.php
-----------------------------+----------------------
 Reporter:  strangerstudios  |       Owner:
     Type:  enhancement      |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Security         |     Version:
 Severity:  normal           |  Resolution:  invalid
 Keywords:                   |
-----------------------------+----------------------

Comment (by elyobo):

 Thanks for suggesting including it in the core :)  I'm fine with it or
 without it, but we have found it useful against automated attacks for two
 reasons.

 By requiring the attacker to request the page beforehand, you are rate
 limiting the number of authentication attempts that they can make; it
 doesn't prevent it, it just slows it down significantly.  Complaining that
 it increases system load is sort of missing the point; the attacker can
 already generate just as much load using only POSTs to log in, whereas
 with this they will need to execute GETs as well.  I don't think the load
 profile will really change, although it might get a little lighter if they
 have to do more GETs (which don't involve an lookup to check if the login
 is correct) and if we can reject attempts with missing nonces (again, no
 lookups).

 It also requires a slightly smarter attack; the dumb attacks that we were
 experiencing across our networks was not doing a GET first, so while it
 didn't prevent the system from being loaded by the attack, it did
 guarantee that the attacker would not gain access even if they hit upon
 the correct password.  So there is in fact a security advantage against
 stupid attacks :)

 Complaints about the uniqueness of the nonce should be directed to
 Wordpress :)  Because Wordpress doesn't actually have nonces (they can all
 be reused, so they're not a nonce) the system is less than ideal, but you
 can adjust the timeout to reduce the replayability (we use a very similar
 plugin with a timeout of 15 seconds or so; @bpetty, the timeout here is 30
 seconds, not minutes).  This is discussed in the README.md for the plugin.
 I would happily use a real nonce here, but didn't want to add the DB
 storage overhead or force users to enable sessions or some other caching
 mechanism.

 @strangerstudios, the key takeway should probably be that you need to
 think before putting a nonce on a front end form; in many situations they
 do actually make sense, but they are not a silver bullet, they only
 mitigate certain problems and they do make whole page caching more
 difficult.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25810#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list