Here's the complete text for the download you were just reading about. For those that hate to read documentation, here's a link to DOWNLOAD hashword 0.01.
To return to the Downloads page, click the button at left.
As a plugin, hashword displays a form to generate hashed passwords from plaintext. As a module, hashword can be called by other plugins to verify plaintext against a hashed value.
Several popular plugins that write files to your server (such as entries_cache and wikieditish) quite correctly ask for passwords before springing into action. This is A Good Thing, as it prevents accidents or pranks that may change your blog's content or presentation. The problem with these plugins, however, is that the passwords are stored as plaintext: if someone can read the file, the password is worthless.
To guard against this, the authors of such plugins advise that you keep your plugins in a directory that is not publicly accessible; makes good sense. But what if you don't know how to do that, or don't have access to such a space on your server? Then you are potentially screwed. That's where hashword comes in, by providing a method of generating and verifying encrypted passwords; a hashword-based password can be stored "out in the open" without giving away any secrets.
This plugin is very much a work-in-progress, so don't expect too much from it for now. The premise for hashword is that passwords stored inside plugins (as with wikieditish, entriescache, etc.) should be "more secure" -- that is, someone should be able to get their hands on your working copy of a plugin and still not have access to your password.
When used as a plugin, hashword provides an easy means of generating encrypted ("hashed") passwords for use in other plugins. You call hashword from a URL and get a form; you type in your plaintext password and get a hashed password back; you can then paste this hashed password into another plugin's password config var, and that plugin can call hashword to verify your plaintext password against the stored hashed version. Net effect: your 'en clair' password is never again exposed in a human-readle form.
Obviously, for this to be effective, other plugins must call hashword to do the verifying, or else provide their own verification method. Since no plugins do this, a companion plugin called 'hashword_tester' provides a demonstration of password verification. (By itself, however, hashword is still a great plugin for generating enrypted passwords ;-)
You can just drop hashword into your plugins folder and it's ready to go. Ditto for the 'hashword_tester' plugin; they're both preconfigured to just run.
To use hashword as a plugin (that is, to have hashword make encrypted versions of plaintext passwords), you must supply it with a password. To do this, add a '
hashword' parameter to a blosxom URL; the value of this parameter is the password you've chosen for hashword operation. For example, let's say you've chosen '
pass' as hashword's password. You would then invoke hashword with something like the following URL:
The first time hashword runs, it will accept whatever password you feed it. It will hash that password, and write it to a file for future reference. On subsequent invocations, the plugin will check its reference file to see if the password you supplied in the '
hashword' parameter matches; if it doesn't, the plugin stops running. (To change your hashword password, just throw away the reference file, named 'pwmstr'.)
To use hashword as a module to create or verify hashes, just drop it in your plugins folder, and call it from within your plugin. There are two routines available:
$hashword::make_hash() which takes one parameter, a plaintext str to hash. Output is either
0 (failure) or the hashed plaintext.The other routine is:
$hashword::verify_hash() which takes two parameters: a plaintext str to verify, and the hashed str against which it is checked. Output is either
0 (failure, no match) or 1 (match).
To demonstrate hashword as a plugin, just enter a blosxom URL as above. To demonstrate hashword as a module, follow the simple steps in the 'hashword_tester' plugin.
NOTE -- if you forget the plaintext of a password that's been hashed, that's it; it's gone, say goodbye.
There's a roadmap for hashword; now I just have to follow it ;-) Future releases will focus on expanding its role as a module:
- the form -- the form that hashword displays will be made available to other plugins. The form will also be customizable, to a certain degree: plugins that call the form will be able to specify a 'title' string, the input box labels, and the success string.
- routines -- ultimately, hashword will host five (?) routines that other plugins can call:
make_hash(): same as now
verify_hash(): same as now
make_hash_cookie(): params will be the incoming plaintext pw, the cookie-owning domain, and the key name for the hashed pw; action will be the same as write_hash(), additionally writing the hashed pw to the cookie; result will be 0 or 1
verify_hash_cookie: params will be the incoming plaintext pw, the cookie-owning domain, and the key name for the hashed pw; action will be the same as verify_hash(); result will be 0 or 1
make_hash_form: as described above
(Cookie stuff will be dependent on the
cookieplugin being installed)