In this lunchtime #WPQuickies, I’m continuing the series on WordPress security – this one is on using secure passwords.
Sun Tzu was a Chinese General, Strategist and Philosopher born around 512BC.
He wrote the bible in offensive and defensive strategy called The Art Of War and even today his words are relevant.
One of my favourite quotes of his is:
“Even the finest sword plunged into salt water will eventually rust.”Sun Tzu
So what does that mean in the context of website security today?
“Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year.”Wil Brown
You Are At War With Multiple Enemies
There are a tonne of botnets out there trying to automatically hack into websites and WordPress, due to its popularity, has a big target on its back.
Millions of websites are hacked every day for the same number of reasons.
Let’s try to make sure yours is not the next one by having a look at passwords.
Usernames & Passwords: Not Just WordPress
Remember that your WordPress website is built on a stack of other services.
Don’t just secure your WordPress username and password, think about those other services such as: cPanel, email, FTP, SSH and MySQL.
Make sure those services have secure passwords as well.
Usernames To Avoid
Try to avoid these commonly targeted usernames:
admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …
Why Avoid Username “Admin”?
A few years ago, web hosting companies offered a one-click WordPress install script.
This script installed WordPress along with a default user whos username was “admin”.
As such, many hackers now knew a username and only had to hack a password to get into the WordPress admin dashboard with administrator level priveleges.
Password Letter/Number Substitutions
Don’t replace letters with numbers or symbols.
Simple character substitution is weak.
butterfly = 8utt3rf1y
This no longer works and takes just a few days to crack!
This rather lengthy article from the National Institue of Standards and Technology (NIST) describes in great detail why simple character substitution no longer works.
Social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
For example if somebody calls you and asks for your mothers maiden name, your date of birth and current address for “proof of identification” – RED FLAG there!
Avoid personal / social information
- Name and memorable dates: Bob1976, 2005Cindy
- Fav footie club name, car rego, house number: Swans2017, CY35TG, 4/2044
Basically anything that is on public record that somebody could look up.
Social Engineering Must Reads
Two great resources to read about this are:
2003 The Art Of Deception, Kevin Mitnick
2016 LastPass Survey The Password Paradox And Why Our Personalities Will Get Us Hacked
Good Password Examples
Use a random 16 (at least) character password and include at least one uppercase, lowercase, number and symbol.
Or use 4 random common words stringed together:
correct horse battery staple = correcthorsebatterystaple
Why does the four random common words work well as a password?
The following comic from https://xkcd.com/936/ demonstrates how using four random common words stringed together increases the difficulty of guessing the password (password entropy) compared to character/number substitutions from a base non-gibberish word.
For the sceptics, there is even a stack exchange question and answer about do four random common words make a stronger password?
What Is Entropy?
What is Password Entropy?
Password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods.
Password entropy is calculated from the base character set being used (including uppercase, lowercase, number and symbols) and the length of the actual password.
Both work across multiple devices, have good user interfaces and use strong encryption to store passwords.
For me, LastPass is a clear winner due to its use of multi-factor authentication with lots of 3rd-party options such as Google Authenticator, whereas 1Password just uses a secret key.
You can read more about the comparisons between LastPass and 1Password on the Digital Trends blog post.
Two-Factor Authentication (2FA, Multi-factor)
You can use another external device to generate an authentication code which you can use in combination with your username and password to login to your WordPress website.
The idea of 2FA is that you are the only person with the device that can generate the authentication codes, e.g. mobile phone app, usb key.
WordPress Password Storage
Passwords themselves are not stored in the database!
That means, if you have access to the database, you can replace the password field in the users table record with an online MD5 hash generator and gain access to the account.
WordPress will replace the has with a salted hash after you have logged in, using the salt table in the wp-config.php file.
Is MD5 Insecure?
The MD5 hash designed for high volume speed, not security.
MD5 + salts is still a poor choice as it’s designed to be fast to generate the hash which modern computers can easily do.
Modern GPUs can generate billions of candidate passwords per second i.e. brute force so theoretically MD5 hashes alone (without salt) can be guess reasonably easily.
Replace MD5 with Bcrypt
Warning – if you do this, your user passwords cannot revert back to MD5!
The team at roots.io have created a plugin which replaces the MD5 hashing system natively used by WordPress with the newer PHP Bcrypt library.
You can download the plugin from https://roots.io/plugins/bcrypt-password/
It does require that your server PHP version is v5.5.0 or above.
You can check your site’s PHP version from Tools > Health Check in the WordPress admin area.
I hope you can use the information in the security WPQuickie to keep your WordPress logins secure.
Join me every Thursday at 1 pm AEST for some more WPQuickies.
Suggest a #WPQuickies Topic
If you have an WordPress topic you’d like to see explained in 30 mins or under, fill out the form below.