Why passwords have never been weaker—and crackers have never been stronger, a great article from Ars Technica. Also emphasizes why two-factor authentication is going to become more important in the coming years.

13 thoughts on “State of Password Cracking

  1. Nice post. I wonder, do you envision building any tools to better facilitate password creation and management within WordPress?

    For instance, one could include a simple generator. Most don’t even know where to get one and barely trust the ones that come via websites.

    Another option might be a built-in global password reset, would be very useful for when an instance is compromised. There aren’t that many “easy” ways to do this for most users.

    This might be one of those things that betters falls into a plugin, maybe it falls into core, I don’t know, but worth a thought.

    While passwords have become weaker, can applications take an approach to better address the short-fall? I think that’s the question, besides, in InfoSec, as you likely know, you never leave it to the user.. 🙂

    Random ramblings..

    Thanks for sharing though..

  2. It’s funny how two-factor authentication was considered just something for the uber paranoid, or the uber secretive before. Now, I’m recommending it to my mum!

    1. Something Perezbox’s comment made me think of…

      Matt, when do you think WordPress.com will have two-factor authentication available? And when will that be available on self-hosted blogs via JetPack or similar?

      Obviously I don’t expect dates, I’m really asking if it’s something you’re thinking about 🙂

  3. I always figured I was the only one paranoid enough to be using this sort of thing. Since the leader of the project is chatting about it online quite often now, I’d like to suggest WordPress core has some sort of multi-factor system rolled in.

    Even if it is just an option, it would immediately make a whole lot more people more likely to make their site more secure. I might cross-post this some place else since your blog isn’t the most obvious place to have a discussion about this.

  4. Along the lines of what Japh said, I’ve had to have several “let’s talk about your passwords and managing them” discussions with family and friends. It’s very hard to get across to some “casual” users (and I mean that in a most respectful tone) how dangerous it is using weak or the same passwords all over the place. I try to point out the many different disaster scenarios, but everyone seems to think it won’t happen to them. Until it does.

    Thanks for sharing this article, Matt, and thank goodness for apps like LastPass and 1Password that help us all sleep at least a little more soundly at night. 🙂

    Oh, and having two factor auth as a built in option for WordPress blogs would be awesome! 🙂

  5. Hi Perezbox: The Login Security Solution plugin (pardon the self-promotion here) has the ability to require new passwords. It sets a flag in the users’ meta data. It also ensures new passwords to be very strong.

    While it’s similar to several existing WP plugins, it consolidates the various features and turns the power and quality up to 11.