Strong Passwords

In the previous post in our series on security, we covered the 90,000 IP Address super-botnet that is brute-forcing into WordPress sites with insecure username / password combos. On the surface, a 90,000 IP Address botnet sounds pretty intimidating. It’s a bit like the big boss you’d fight at the end of an NES game back in the 90’s. But there’s actually a way that any WordPress user can do battle with a botnet of any size.

This leads me into Post #2 of our Series on Security:

“Stay Secure with Strong Passwords”

Before we get carried away with a bunch of in-depth posts about security, we gotta start with the front door: the username / password combo. Since more of the internet is built on WordPress than any other type of website, 17% of the entire Internet, it’s critical that WordPress users stay on top of the security of their usernames and passwords. As WordPress continues to grow, the user base must take responsibility for that part of web security. Now, hosts can go a long way to protect their users by forcing strong passwords and not creating the “admin” username on customer sites, both of which WP Engine does. But for hosting companies that don’t manage these two variables on behalf of their users, the users end up with 100% of the responsibility for web security on their shoulders.

Last week, Matt Mullengweg recommended that site owners use “a strong password…and make sure you’re up to date on the latest version of WordPress.” Those two things go a long way to keeping your site safe. Since WordPress Core is remarkably secure, a strong password is the next element to a secure site. Again, both of these areas are covered when you host with WP Engine.

Ok, so using strong usernames and passwords is the responsibility of each user. But security as a whole is a partnership between host and client. Like WP Engine does, your hosting provider can force you to pick strong passwords (which can be frustrating at times) because this ultimately ensures that things like the super-botnet do not pose nearly as much of a threat as they might. But let’s cover strong passwords because there’s a good chance you’ve got WordPress sites all over the internet, and you have a password for every online service you use.

Define “Strong” Password

Passwords are most effective when they’re larger than 8-12 characters (24 if you REALLY want to be secure), unique, and achieve a high level of entropy, or contain a sufficiently large variety of character types. Basically, that means that the password, “password” is weak because it’s short, common, and is made of all lowercase letters, hence has low entropy. The lack of variety, not to mention how obvious it would be to guess that is a security problem.

The above paragraph seems pretty obvious to a lot of users, but do a quick google for the list of passwords from a recent hack. There are always *thousands* of accounts that used “password” to access their accounts. It seems obvious, but many end users don’t grasp the danger they face. With that in mind, I’m willing to be redundant about what password strength means.

Of course, the challenge of creating a sufficiently strong password means that it’s a pain to remember. If you make up a 24-digit password with random numbers, symbols, and letters, there’s no human pattern you can use to remember it. You just have to memorize it.

Enter the Passphrase

My suggestion is that you use a passphrase. For example, take a sentence like “the lazy brown fox jumped over the sleeping dog” and use that as your password (Yes, it’s too long for most passwords, but you get the idea). If your password previously was “password,” now it’s “thelazybrownfoxjumpedoverthesleepingdog.” Both are simple to remember because you have a mental context for them, but one is predictable, and the other one is sufficiently long and complex that it would take years (give or take a few undecillion years) for a PC to guess. And that’s without ever adding any numbers, symbols, or capitals.

Of course, you want to pick a passphrase that’s unique to you.

If you haven’t yet created a long password, now’s a great time to think of passphrase. Take a second, come up with a sentence you know you’ll remember, don’t tell anyone, and then go change all your passwords to passphrases

Passphrases not your style, but you want a system to create long passwords? Here’s a post from our friends at Sucuri to create complex passwords for the more technically-inclined.

Use a Password Manager

There are some awesome programs you can install into your browser that will manage your passwords and passphrases for you. Yep, they’ll do the hard work of creating and remembering sufficiently difficult to crack passwords.  Check out either 1Password or LastPass. Both are secure solutions that empower you to have sufficiently complex, long passwords, but you let software remember and automatically enter them when you visit the various websites that make up your daily routine.

Wrapping Up

What’s amazing about the 90,000 IP Super-Botnet (we should come up with a cute nickname to call it, like, Daisy or Lucy) is that it would have been powerless to brute force into a paper bag if said paper bag had taken 30 seconds to come up with a strong username and password combo. Just imagine someone going to all the trouble to spin up 90,000 IP addresses only to find that everybody has really badass passwords. You’d be pretty mad! I think it was Oscar Wilde, the famous Apple Sysadmin who said, “Only you (and your managed WordPress provider) have the power to prevent brute force intrusions.”

And, until all hosting companies force strong usernames and passwords, or strong passwords become part of WordPress Core, there will be 70 million+ WordPress sites will need to manage that process themselves.

The password is just the front door to your website that users are supposed to be able to walk through. In the upcoming posts, we’ll dig into the various layers of security that go all the way down to the filesystem and the database at the lowest levels of the server.