breadcrumb
Articles
Long Live WordPress Passwords

Long Live WordPress Passwords

22nd Oct 2013 | Posted by Eko S. | No Comments

It’s a long-understood aspect of network security that any password using a dictionary word, from aardvark to zyxt, can be cracked in minutes. Even passwords like aa4dvark or aardvark2013 are easily broken, as password-cracking programs such as John the Ripper race through various permutations until they snag the right one.

For a while, the most secure passwords were, in theory, passphrases. These were easily-remembered phrases such as “thecakeisalie” or “givemelibertyorgivemedeath.” These phrases were secure because they weren’t in any password-cracking program’s dictionary — the long, long list of aardvarks and aa4dvarks that fill up programs like the aforementioned John the Ripper. The phrases weren’t in the list because there wasn’t any way to add them to the list that wasn’t long and arduous.

WordPress Passwords Tips

Until now. As Ars Technica noted this week: password-security researcher Kevin Young was able to add the entirety of Wikipedia and 15,000 public-domain literature, philosophy and government texts from Project Gutenberg to his password-cracking program. “Givemelibertyorgivemedeath” isn’t a dictionary word… until you expand your dictionary.

Or, to quote Ars Technica writer Dan Goodin directly: 

As new technologies emerge that make it easier to access more written material, “It was the best of times, it was the worst of times,” “We the People of the United States, in Order to form a more perfect Union,” and any one of millions of other well-known phrases may soon offer no more protection than “Password123″ and “letmein!”

What’s going to follow the demise of the passphrase? Here are the three most likely options:

#1: Correct Horse Battery Staple

The first solution, and the one immediately suggested by Ars Technica commenters, is the use of multiple dictionary words unrelated to song lyrics or phrases. This is also, famously, the solution proposed by Randall Munroe of XKCD.

The theory is as follows: a password cracker can crack any permutation of “horse,” including “h0rse” and “aaaaahorse,” as well as a passphrase such as “ahorseisahorseofcourseofcourse.” But it’ll run out of steam before it finds the precise combination of the four dictionary words you use as your password.

Problem: right now, password crackers can decipher strings of random letters. All too soon, they’ll be able to read random words equally easily.

#2: WordPress Plugins and Two-Step Authentication

The next solution is to switch to a two-step authentication system: that is, to first enter your password and then to confirm your identity, generally by a random one-use-only code sent to your mobile phone. Google’s practically requiring two-step authentication for all of its users, and WordPress has a list of two-step authentication plugins for the blogger seeking additional security.

Problem: this is an excellent solution for your big passwords, such as the ones you use for Google, WordPress, or your bank. However, nobody is going to sign up for two-step authentication for every single online site that requires a password (and most do, these days). That’s where the hackers are going to get you.

#3: Third-Party Resources

Yet another solution is to assume your security will get breached and purchase software to notify you the instant that breach occurs, as well as develop in-network systems to mitigate the damage and prevent future threats. This is the solution proposed by advanced network protection teams like Deep Discovery. Their theory also follows the vaccine model: once they build defenses against a particular type of network attack, they’ll be able to protect both your network and other networks.

What’s going to happen next in the world of network security? As in the past, expect systems to be ever-evolving. Yes, choose a WordPress two-step authentication plugin, change your passphrase to a string of four dictionary words, and consider purchasing a third-party system, especially if you run a small business and have access to a lot of sensitive data on your network.

And, three years from now, expect to have to do something different.

The passwords are dead. Long live the passwords.

About The Author

Eko Setiawan is PR and editor of DynamicWP.net, a site that dedicated to bringing free wordpress themes and plugins. You can follow him on twitter : @dynamicwp.
Posted under: Articles | Tags: , , ,

Related Posts

related
How To Secure Your WordPress Blog by Changing the Default Username
related
How to Bold First Few Words in Excerpt
related
25+ Most Downloaded Free WordPress Security Plugins

Leave a Reply

 

Amazingly Beautiful WordPress Themes