Why passwords have never been weaker—and crackers have never been stronger, a great article from Ars Technica. Also emphasizes why two-factor authentication is going to become more important in the coming years.
Why passwords have never been weaker—and crackers have never been stronger, a great article from Ars Technica. Also emphasizes why two-factor authentication is going to become more important in the coming years.
Nice post. I wonder, do you envision building any tools to better facilitate password creation and management within WordPress?
For instance, one could include a simple generator. Most don’t even know where to get one and barely trust the ones that come via websites.
Another option might be a built-in global password reset, would be very useful for when an instance is compromised. There aren’t that many “easy” ways to do this for most users.
This might be one of those things that betters falls into a plugin, maybe it falls into core, I don’t know, but worth a thought.
While passwords have become weaker, can applications take an approach to better address the short-fall? I think that’s the question, besides, in InfoSec, as you likely know, you never leave it to the user.. 🙂
Random ramblings..
Thanks for sharing though..
It’s funny how two-factor authentication was considered just something for the uber paranoid, or the uber secretive before. Now, I’m recommending it to my mum!
Something Perezbox’s comment made me think of…
Matt, when do you think WordPress.com will have two-factor authentication available? And when will that be available on self-hosted blogs via JetPack or similar?
Obviously I don’t expect dates, I’m really asking if it’s something you’re thinking about 🙂
I’ve been using Henrik Schack’s Google Authenticator plugin to add two factor authentication for admin users on a bunch of self-hosted WordPress blogs for the last couple of months, and it works like a charm.
There’s already a plugin available (http://wordpress.org/extend/plugins/one-time-password/), together with a phone where you can run the one-time password generator app and the generating-password you have (hopefully) in your brain you will get the two-factor authentication as soon as you install it.
I always figured I was the only one paranoid enough to be using this sort of thing. Since the leader of the project is chatting about it online quite often now, I’d like to suggest WordPress core has some sort of multi-factor system rolled in.
Even if it is just an option, it would immediately make a whole lot more people more likely to make their site more secure. I might cross-post this some place else since your blog isn’t the most obvious place to have a discussion about this.
Along the lines of what Japh said, I’ve had to have several “let’s talk about your passwords and managing them” discussions with family and friends. It’s very hard to get across to some “casual” users (and I mean that in a most respectful tone) how dangerous it is using weak or the same passwords all over the place. I try to point out the many different disaster scenarios, but everyone seems to think it won’t happen to them. Until it does.
Thanks for sharing this article, Matt, and thank goodness for apps like LastPass and 1Password that help us all sleep at least a little more soundly at night. 🙂
Oh, and having two factor auth as a built in option for WordPress blogs would be awesome! 🙂
I would like to see WordPress drop MD5 and go with a much better algorithm like SHA-256.
Fixed years ago with a yubikey, which is supported by WordPress (with a plugin), and Lastpass. blogged here: http://wombatdiet.net/2010/01/29/yubikey-gadget-of-the-month/
Hi Perezbox: The Login Security Solution plugin (pardon the self-promotion here) has the ability to require new passwords. It sets a flag in the users’ meta data. It also ensures new passwords to be very strong.
While it’s similar to several existing WP plugins, it consolidates the various features and turns the power and quality up to 11.
–Dan
Two-factor authentication does solve some problems, and it should be widely implemented, but it’s dangerous to think of it as a silver bullet. Bruce Schneier pointed out some very obvious attack vectors that workaround two-factor auth back in 2009 — http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html.
WP supports MD5 for backwords compatability, but switched to PHPass for new passwords years ago.