computer science, math, programming and other stuff
a blog by Christopher Swenson

Greasemonkey Script: Better WordPress Login

A problem I've always had: WordPress blogs transmit passwords in the clear by default. The only way to remedy this was to break down and buy an SSL certificate for each of your WordPress blogs.

Until now.

I wrote a simple Greasemonkey script for Firefox that secures your password as it is transmitted to any WordPress site. Click here to install it (assuming you are running Firefox and have Greasemonkey installed). It seems to work with WordPress version 2.4 or better (possibly earlier … I just haven't tested it with them).

Naturally, I had to modify the WordPress change password screen. Assuming you are logged in, just go ahead and go to change your password to a new secure one. Notice the "SECURED" text that indicates that the script is working its magic.

Now, if you log out, you would normally see this login screen:

Insecure WordPress Login

However, with the new script installed, it should look like this (note the word "Secure" has been added to the login button).

After you type in your password and click on the "Secure Login Button", the script automatically rewrites your password by hashing it (with a salt), which will produce an identical output for an identical input on the same site. You can see it in action here:

Technical notes:

  • it replaces your password with a SHA-1 hash of the SHA-1 hash of your password appended with a salt. Nothing too fancy.
  • The salt is the DNS name of the web server you are connected to. This way, your password for different sites will have different hashes. If you didn't do this, and just used a plain hash for your password, then this would not really give you too much security. For example, if you really think that your password "secret" is made more secure by using the MD5 hash of it instead, just do a Google search on the hash (dd02c7c2232759874e1c205587017bed) to see how secure your password really is.
  • This is important: you will have to have the script installed on every computer you expect to login with. The password is permanently changed to be a hash, and if you could still login with the old password, that would be silly.
  • You have to login normally first (Greasemonkey script off) with your old password, and then change the password with the Greasemonkey script turned on. Then, just leave it on.
  • The script is licensed under the BSD license, so it is easy to adapt to your own purposes. Feel free to do so.
  • I will also make this into a WordPress plugin if there is a desire for that. (I actually prefer having it as a Greasemonkey script so that I know that it is working and hasn't been changed, but I know some people don't want to use Greasemonkey to do this.)
  • A Twitter version is also in testing and cleanup (Twitter does secure your password when you login, but not when you change your password).

If you like what you see, then click here to install the script.