How to Setup Strong WordPress Passwords

WordPress 3.7 updated their password meter to recognize common mistakes that can weaken your password such as dates, names, keyboard patterns (123456789), and even pop culture references. While this is a good start, we recently learned how to create a strong password by using one of the password management tools or an online tool like http://passwordsgenerator.net/.

Remember to use unique strong passwords for all your accounts in WordPress such as your admin account, user account, and WordPress database user account. And of course you want to use WordPress’s secret key generator tool for the core configuration.

Password Management Tools

If you have come to the same conclusion that I have and you need strong random passwords on all your accounts, how will you manage all of them? You know you shouldn’t write them down or keep them in a plain text file, so what to do? Thankfully there are several password management solutions out there, from online solutions to stand-alone offline solutions.

The main difference between the two types systems is if you want access to your passwords online (and do you trust a vendor with all your passwords).

  • LastPass has a both a offline and online solution for your password management needs.
  • 1Password is the other top password management tool competing against LastPass. They only have an offline solution.

My personal favorite though is KeePass as it is open source software, free, and cross platform. LastPass and 1Password are cross platform as well, but they are proprietary closed source solutions. Any of these options will work fine for the majority of use cases, so don’t spent too much time debating which one to go with. Just remember to use a strong password to gain access to all your other passwords!

Why You Need Random Passwords

I highly recommend having random passwords for every site you have a account on. If you can’t do that, then at least have different passwords for accounts that have payment related information in them. Why? If an attacker got access to your account,then they just got access to all your other accounts as well!

Below are two tips that I found online that don’t make complete sense to me and they highlight how random passwords are solution.

Once you have a strong base password, you can use it to create individual passwords for each of your online accounts. Simply add the first three letters of the service, e.g. “E1d_1D!4Y:)GMa” for your GMail account or “E1d_1D!4Y:)eBa” for eBay.

Assuming the attacker got access to one of your passwords, and they noticed the pattern, they can easily pivot to your other accounts using this password “strategy”.

Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. “seat%tree”

GPU based password cracking will breeze through this type of password. Sure it is easy to remember, but this password “strategy” gets you nowhere.

Minimum Password Length

Several websites state that having a password length of 8 is good enough, but that number was based off of current CPU technology at the time and the time required to to use those CPUs to break them. Graphic cards have been taking over the password cracking scene for a several years now, as password computations (for certain algorithms) are well suited for GPUs over CPUs which can result in several billion password computation/cracks per second!

So why did I recommend a minimum password length of 12 if permitted? Based upon the above information aren’t we screwed? I think it is good enough for now as it is much better than a length of 8 where an attacker can brute force that key space in a couple hours to days depending on the GPU and algorithm used for the password. And a required step to the above scenario is that they have your encrypted password, which would likely come from them hacking into a website and they downloaded all the customer data.

What are your thoughts on password lengths? Is it something you worry about? Do you have a better strategy?

For additional reading on password cracking, Dan Goodin from Ars Technica has a couple good articles on the subject:

How to Create a Strong Password

As passwords are your keys to many digital things, you probably want to ensure that it is reasonable secure and strong right? There is a lot of advice out there when it comes to creating a strong password, and while most of it is good, some of the recommendations should not be listened.

Part of my responsibilities as a penetration tester was to see if one could determine a user’s password through means like brute forcing. Through those experiences, I’ve gotten insight into what password strategies work against current techniques attackers use.

So how do you create a strong password? Here are four simple tips to secure your digital accounts.

  1. A minimum password length of 12 if permitted
  2. Have a mixture of uppercase and lowercase letters, numbers, and special characters
  3. Use a random password generator to generate the above
  4. Use a password manager to store all your strong passwords and make sure you use a strong password on your vault as well!

In the next post series, I will explain how I came up with these tips and why you should follow them.

SpiderLabs Discovers 2 Million Stolen Accounts

Yesterday there was a post from the Trustwave SpiderLabs crew about discovery of compromised accounts due to their investigation of the Pony Botnet. This is another great example of how one must protect their account information by having complex passwords for websites. And if you have the same password in multiple places, an attacker could easily pivot into that account as well.

Part of the analysis was a review of the top used passwords and nearly 16000 accounts had the password of “123456”! Other top passwords in use were “123456789”, “1234”, “password”, “admin” and other simple number patterns.