On September 10th, 2014, the Time.com news portal reported that about 5 million Google emails and passwords were leaked on an underground Russian website. This in itself is not directly related to WordPress security, but knowing that many folks use the same passwords for many of their sites, emails, etc – it would be wise to change/update your passwords immediately – especially if you are using the same Gmail password on your WordPress site.
Ref: http://time.com/3318853/google-user-logins-bitcoin/
Weak Passwords
Many folks use the same and “easy to remember passwords” such as a combination of their birthdates, their spouse, their anniversary or something like that. Most of these words combination are found in the dictionary which would allow any attacker to launch a brute force attack on the “wp-login.php” via automated script. In order to avoid these automated attacks, your password should contain non-alphanumeric characters such as !)*#$^&%@ in addition to numbers and letters.
But the problem of using such cryptic passwords is that nobody can remember it. So what is the solution? There are 2 possible solutions:
- use a long, nonsensical phrase and mix it with some numbers and symbols
- use a password manager such as the RoboForm (or the built-in Password manager on the browser)
For example, go to this site: https://howsecureismypassword.net/
WARNING:
Never enter your real password on that site or any sites that doesn’t belong to you – you’ll never know if the site is silently capturing everything that’s entered on the form.
Ok, now with that warning out of the way, let’s do this test:Enter this password: q34#@5o8X
It’s quite cryptic and looks strong enough. But on the password security check form, it says it would take 275 days (less than a year) for a password cracker running on Desktop to crack it. On powerful, dedicated servers, the time would be much shorter.
Now, enter this nonsensical phrase: daCowJumpOvertheSunAndBakeCookies2014@
It’s easy enough to remember right? Guess how “difficult” it would be for an automated tool to crack?
I’ve no idea how long “septendecillion” is, but I would safely say a few million lifetimes 🙂
Final note: Don’t use the same phrase above now that it’s published for the whole world to see – but you get the idea – a long nonsensical phrase that you can easily remember – maybe combination of your favorite food, color, car, hobbies, family, etc. Add in some numbers and sprinkle with a couple of symbols.
AND, don’t use the same password on all your sites. This is the rule I follow:
- For financial sites such as online banking, Paypal, etc – I would have separate, very difficult passwords for them
- For my own professional websites (such as fwguys.com) – it would be another set of difficult passwords
- For social media sites such as Facebook, Gmail, YahooMail, etc- it would be another set of passwords
- For general forums and everything else – something easy to remember where if the account is compromised, it would not cause any harm.