Pepper question

I understand how Pepper works with logins and would like to try it out but do not see from the plugin or settings screen in CP how to set a pepper for the first time.

I have the message “ClassicPress is currently using a Pepper” and a button for “Create or renew a pepper for the password storing algorithm,” but the button merely repeats the screen “Pepper renewed.” I get no new screen or menu for setting one. Account management similarly offers no options. How does one set the Pepper?

I’m obviously missing something. Can anyone redirect me?

Later edit: I see now from the announcement of 2.2.0 that “there will be a blog post on how to use this plugin in the next week or two.” Good news.

That page is not meant to insert a custom pepper. Clicking the button just generate a new random one.
More information here.

Thank you @Simone — I checked the discussion.

I have obviously misunderstood what a Pepper is and how it works. Everything I have read states that a pepper is user-generated and not stored in the database — in fact, that is the point: it is a separate security layer that is not accessible if the database is compromised and even the salt is hacked. @ElisabettaCarrara remarks to the effect that

The person I think was expecting to set the pepper manually

From the code I got the impression that the plugin creates a random Peppper, saves it, gets it and uses it instead, without user intervention.

Then I’m wondering how the user knows the pepper to add it to his or her password.

When the button is clicked for the first time a Pepper is set. Button changes to refresh Pepper and when clicked the old Pepper is deleted and refreshed (that makes it easy to force a “logout and change your password” kind of action for sites that have users

This is a unclear: what site does not have at least one user (admin)? I am similarly unclear about “forcing a logout and change your password” (I’m unsure of the circumstances under which one would do that) since when you logout, as I did, you are effectively locked out of your site, as I was, because your old password no longer functions (the new pepper has been set but you do not know it and cannot access it) and yet you cannot get back in to change it as the remark suggests. It’s a circular conundrum, at least it was for me yesterday.

but with the text that is there on the admin page for the plugin it’s not clear).

Adding some text along the lines of: “Clicking this button will take care of creating a random Pepper for you, when you need to refresh it just click the button again” might be more explanatory and help people understand what is happening behind the scenes.

That is indeed how I understood the statement, but it still would not have allowed me back into my site to set a new password. Again, it seems I have misunderstood almost everything I have read about adding a (user-generated) pepper.

to be clear, the pepper is generated and added by the plugin. the refreshing of pepper causes you to undergo the “forgot password” procedure to set a new one. Usually yes, a site has at least ONE admin user. generally speaking Pepper is however more of use in case a site with MANY users gets somehow hacked and it is necessary to force them all to reset their password. The admin in that case would be alerted the site is infected, resolves infection, refreshes peppers and uses the forgot password to set a new admin password. and then should send an email (in Italy this step is by law) to let user know that the site requires them to set a new password with the forgot password link.
You do not need to know the pepper. when it is refreshed and you set the new password from forgot password it adds it on its own. Knowing the pepper defeats its purpose (the same way knowing the SALT does)

Thanks for the response. Much appreciated.

the pepper is generated and added by the plugin. . . . Knowing the pepper defeats its purpose (the same way knowing the SALT does)

I am by no means implying that your statement is wrong, just that it contradicts essentially everything I have read about the difference between salt and pepper, the former of which is generated automaticallly and stored with the password in the database, the latter of which is said to be user-generated and then stored off-site, preferably also memorized by the user for login and security purposes.

Knowing the pepper defeats its purpose (the same way knowing the SALT does)

The explanations I have read (at least as I understand them) maintain that only the user should know the user-generated pepper for his or her password, which is not stored in the database with the salt. So CP seems to be using a variation of this protocol, though if the pepper is stored in the database with the salt, then it, too, can conceivably be hacked if the database is compromised. Or so it seems.

The admin . . . refreshes peppers and uses the forgot password to set a new admin password. and then should send an email (in Italy this step is by law) to let user know that the site requires them to set a new password with the forgot password link.

I could not use a forgotten password or any password to set a new admin password because I was locked out of the site by the automatically regenerated pepper. Nor was there any indication that I would receive an email with a link to do so. I mean, I am the admin who would send the email. :astonished:

So . . . do I understand this correctly (my bracket insertions):

You do not need to know the pepper. when it [the pepper] is refreshed [via the refresh button] and you set the new password from forgot password it [the plugin] adds it [the pepper to the database as part of your reset password] on its own.

That is:

If I

(1) click to refresh the pepper, then

(2) I am required to reset my password then and there, since my old one will no longer work, or reset it at least before I log out (so I don’t get locked out as I was) —

That is, I can reset the old password (or a new one) then and there (before I log out) so that the database can rehash the old password (or a new one) with the new pepper while I am still logged in.

When I then log out and log in even with the old password (if I have reset it before logging out), the login will proceed normally — the database will recognize my password as associated with the refreshed pepper. Correct?

Sorry for the confusion on my part, but my differing understanding of peppers did indeed lock me out of my site yesterday. No harm done (thanks @timkaye), but this different understanding of peppers threw me for a loop.

Thanks again for your response.

I did search further and found what is apparently happening here that I did not understand:

The pepper can be hard-coded into the website’s source code or added manually by the private or business user. In the first scenario, the online platform’s owner chooses the pepper, taking responsibility for the code’s strength and security. The same pepper is used throughout the site’s database: There are no individual password peppers for users.

The author goes on to lament the downside:

If cybercriminals gain access to the source code, they could quickly discover the pepper, and it could compromise the hashed passwords.

And this is the scenario to which I was referring. Fair enough. I understood the plugin instead as enabling one to create a pepper “manually”:

Adding a pepper to your passwords has to be done manually . . . Once you’ve created your base password, add the pepper and that will be your actual new password. Update your most important accounts using it. Now, when logging in, you’ll have to add the pepper every time to access the account.

My understsanding now is that by clicking the button, one is (as it were: “manually,” but not in the above sense) prompting the plugin to “take responsibility for the code’s strength and security” and generate and add a (non-user-generated) pepper (instead of the user creating and remembering one) that is hard-coded and added to every password. Elisabetta’s remark now also makes sense in the case that the site “gets somehow hacked and it is necessary to force them [users] all to reset their password.”

Looking forward to the blog explanation.

The pepper is saved to a file in plugin folder.
The resetting password when you refresh it happens the normal way (going to wp-login/wp-admin when logged out and clicking forgot password in the login form). The plugin takes care of adding the pepper to the new password.
The fact that it is generated randomly makes it more secure.
SALT also should be generated randomly with a python script (as detailed in a comment inside wp-config file. To be noted that if you have python3 you have to amend it to work with python3).
Randomly generating it is more secure because really the only place the pepper can be found is the file. If site is hacked (that even with ALL the security levels in place sometimes can’t be avoided) it’s easy to lock out the attackers with a new random one.

What I think we should add is a function that sends out an email from the site everytime pepper is refreshed to let users know they need to reset password via a reset password link. That could be useful. I might work on that in the coming days. And another thing is better wording for the admin screen. Users really should not be guessing what it does.

1 Like

Thanks, Elisabetta, for the explanation about the plugin folder and the forgot-password form. Makes good sense now.

A function that sends out an email when the pepper is refreshed should perhaps have an admin on/off function as well for those who don’t really need to use the function.

Also, having the “Visit Plugin Site” take the user to the github page is not helpful for everyone (not every user or even admin is github-savvy). Perhaps a single explanatory page on the CP main site for the plugin similar to that for WP plugins with FAQs, latest version number, and so on?

Thanks again. Very helpful.

2 Likes

That can be a useful feature.
Maybe with a checkbox in the page to enable it or anyway a filter to make this optional.

2 Likes

I seem to have managed to permanently log myself out of my ClassicPress installation after enabling the pepper. I went to my profile and reset my password there, and then I later wanted to log in from a second computer. After logging in, I received a 500 internal server error, and the email notification from ClassicPress stated that the Pepper plugin was responsible. It then offered me to bring up a recovery mode, but that recovery mode doesn’t accept my login, and neither does the regular login. Resetting the password results in either another 500 internal server error, or a success message that then, however, does not let me log in either, claiming that the password is wrong.

So, as it stands, after enabling Pepper, there is no longer a way for me to access my admin dashboard in either normal or recovery modes. And I’m sure that’s not by design. :wink: My instance is on an Uberspace asteroid.

Any idea what else I can do short of wiping everything and starting over completely fresh?

You need to go into your cPanel and PHPMyAdmin. Click on the name of the database at the top left to expose the full list of database tables. Look for the users table, and find your entry. Click Edit, and replace whatever is currently in the user_pass box, then in the dropdown to its left, select MD5. Then go down to the bottom and hit Go. You should now be able to login using your new password.

1 Like

Thank you so much, this worked, and I was able to go into recovery mode and disable ClassicPress Pepper. Now, from the second machine, the login works again without a server error. Guess I’ll leave this plugin disabled for the time being.

1 Like

Glad that worked. I know @ElisabettaCarrara is working on some instructions on how to use the pepper.

I realize that @ElisabettaCarrara is working on instructions (for which thanks), but in the meantime I’m curious about @MarcoZ 's experience, since I have assumed he proceeded correctly. To wit, why, exactly, does his procedure not work:

after enabling the pepper. I went to my profile and reset my password there, and then I later wanted to log in from a second computer . . .

I did learn earlier why my own attempt (described above) did not work: I was expecting a manually set password, which is a different kind of pepper setup. But he seems to have followed the proper procedure of (1) enabling/setting the pepper and (2) then resetting his password, which, coincidentally, I was about to try myself, since I would indeed like to enable the pepper.

Can anyone give a brief explanation? I don’t see a third way of doing this.

A bit late, but still: many thanks to @ElisabettaCarrara and the other core contributors for the fix to the Pepper plugin. I read through your Zulip exchange and appreciate your hair-splitting, molecular-level care. The plugin has been a great addition. Thanks.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.