More security steps you can take, beyond good passwords: WordPress Security for People Without Technical WordPress Knowledge.
Password Security on Your WordPress Site and the Internet
I’m going to cover:
- Choosing and using a Password Keeper for every password you use, plus other secure information such as bank account numbers;
- How to make a truly secure password for your password keeper master password, and for the few passwords you type frequently. This must be hard for hackers to guess, and easy for you to remember and easy for you to type;
- How easily most passwords are guessed by hackers, since the rules for making complex passwords are thoroughly known by hackers.
You must use very strong passwords on your WordPress site. (You should use very strong passwords on every web site you use.) While WordPress encrypts your passwords, and the encryption is strong enough hackers can’t break the encryption, hackers know the way we’ve all been taught to make “secure” passwords, and that lets them guess your passwords.
If hackers have stolen a copy of the site database (for example, an un-encrypted backup), or have hacked access to the database, they can test literally billions of password-guesses per second, using free widely available software.
If hackers can test passwords using the standard WordPress login form, and you haven’t restricted that, they can test thousands of passwords in a couple of hours. (Most WordPress security plugins have the feature to restrict login attempts.)
One way of making passwords that is actually secure, but you’ll never be able to remember, is use a password generator. Use the password generator in a password keeping software, and all you have to remember is the “master” password for the password keeper. The software will remember all your user names, account numbers, and passwords, plus any other information you keep as notes for that site.
You can only download software that is so obviously about security, from a site that has technical strength, has industry-leading anti-virus software, has excellent reviews, has a reputation to maintain.
No downloading any software because there was a pretty ad about it on _____ (fill in the social media site). If you use a hacker’s program as your password keeper, guess what they’ll do…
For password storage, you also must select a program that has 256-bit (or stronger) open source encryption; the more security experts who have had a chance to review for weaknesses the better. Proprietary software doesn’t get these many eyes checking for problems; companies are proud of their software, and look at how good it is, not where is it weak.
You also need a program that you have on your computer, and your password keeper has to be able to work from your thumb drive, and/or your tablet or phone. A web based solution is okay if you synchronize to them; you can’t risk their business suddenly closing with all your passwords gone.
Another feature to look for is a standard method for exporting your information, for example an XML or text file, should you ever want to change to another program. But know this export is an insecure file; make backups using your encrypted password file not the un-encrypted export.
Beyond passwords, you can also use the software for storing bank account numbers, credit cards, library cards, any account numbers, serial numbers, registration numbers, etc.
This is not a complete list, but these work very well, and are trusted sources:
On Windows, I download almost all my shareware from CNET or SourceForge. Get KeePass and also get the portable (run off your thumb drive) version. (Unless you have a strong reason to use the original version, which is still being maintained, get the KeePass 2.x edition.) The main site is on SourceForge (downloads here), and the KeePass web site is excellent for learning what makes good password software, even if their software isn’t what you use, e.g. you use OS/X but don’t have Mono. Are versions or ports for Android, OS/X with Mono, iPhone, Linux. Some of the key features:
- KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. For example, AES became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
- The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
- Your computer’s clipboard is cleared in a few seconds, your un-encrypted password isn’t left in memory
On OS/X: Either use KeePass, or Keychain http://www.macworld.com/article/2013756/how-to-manage-passwords-with-keychain-access.html or 1Password.
Password Managers include: Password Safe, KeePassX, 1Password, LastPass
For each site, use the longest password the site allows, up to maybe 60 characters. Your password keeper will let you copy/paste the password, so you don’t have to ever type it. (As long as it is a random computer-generated password, 60 characters is “lifetime strong”.)
Never use a password on more than one site. If someone gets your password at your favorite pizza place, and orders a pizza “for carry out” on your card, you don’t want them also able to use your video streaming account, right?
Whatever password keeper you use, keep the master password with someone trusted (for example your attorney keeping your will, or the main person who will manage your estate) in case of your death or other inability to type your password. See The 1Password Emergency Kit: Version 3.0 for how to do this.
Old Rules to Make “Secure” Passwords Are Too Easy to Guess
You have to remember your password keeper’s master password. Forget it and all your other passwords are encrypted in a way that can not be broken (unless of course your master password is so weak it can be guessed).
But the rules we’ve been told by technical support people for decades for making passwords are not secure any more. The main reason is simple: there is software that can make billions of guesses of your password per minute, and hackers using it know all the “clever” rules people come up with for making passwords.
Yes, if the software had to try every combination of letters, numbers, punctuation in an 8-character password (26 lower case letters, 26 upper case letters, 10 digits, about 32 punctuation marks) that’s 6,095,689,385,410,816 combinations. So your password generator can generate a password that even 8 characters long would take a very long time to break, and many sites will allow 40 characters or longer (use the longest the site will take).
But if you need to make a password that you can remember, those ways of making a “secure but memorable” password are all known, and even 8 character passwords (and often longer) can be guessed in under a day. You need a password that can’t be guessed during your lifetime!
Don’t believe it? Maybe you will when you read this…
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ says “In March , readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes [encrypted with MD5 but not salted]. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do… Even the least successful cracker of our trio — who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process — was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them… Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards.”
(oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in that article used.)
http://arstechnica.com/security/2012/08/passwords-under-assault/ “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them.” [Notice the date, that’s with an “ancient” 2012 computer.]
That 8 billion per second would be if someone stole a backup of your database, for example. If they were going to try logging in to WordPress, perhaps 100-200 attempts per second would be easy, from a single computer. How many computers working together in a hacker network could attack your site at once, if you don’t have software limiting the number of attempts? I’ve seen over 100,000 in a night, from about 10 computers.
Making Secure Passwords You Can Remember
The comments on the original correct horse battery staple page point out that if all the words you pick are in the 5,000 most popular English words, then you should calculate the time it takes the password software to go through 625,000,000,000,000 combinations.
60 seconds * 60 minutes * 24 hours = 86,400 seconds/day. At 8 billion per second, they have your “four common words” password in about 1 day, using a “wimpy” 4 year old computer (now 2016).
Obviously one way to make your password (pass phrase) more secure is use at least one word that is not in that tiny dictionary of most popular words. Engineering, scientific, medical, foreign language, or any other more obscure words will do; but they have to be easy for you to remember, and remember how to spell. (Or, remember consistently how to mis-spell!)
Another way to make your password more secure is use 5-8 words. But remembering 4 random words is hard enough for most people. (Tip: get one of the associative memory courses, such as MegaMemory.) If you have a system memorized already, okay. If you have the type of memory where you know every move of every chess game Kasparov ever played, good for you, use it. But if you don’t, here’s how.
Making a Memorable Secure Password Phrase
You need a very secure password for your master password for your password keeper software, and for the very few sites that you log into often (e.g. the “editor” password for your WordPress site, but not the administrator password for your site). These passwords have to be very easy to remember and easy for you to type.
I think the proper person for teaching this task is:
Now, pick a “mini-scene”, for example the robin or the mirror, and describe it in 5-8 words. For this mini-scene, perhaps “robin feathering fly mary whistle duet” (a robin feathering his nest flies to Mary Poppins and they whistle a duet) but don’t use that, make your own story. As long as you pick a vivid, memorable mini-scene, the “story” you make up will be completely memorable to you, but not easy for anyone to guess, even if they know what movie you love.
- Ignore any 1-3 letter words unless important.
- Don’t take a lyric or famous quote, as those could be in the “dictionary” of some hackers. “spoonful of sugar” is a lousy password, “spoonful of sugar to help the medicine go down” is so famous it’s not much better than “spoonful1964”
- No punctuation between words (spaces aren’t allowed on some sites, and punctuation are harder to type); or if you must, use the same common punctuation between each word; no having to remember which one you used.
- Pick one place to put a capital letter, probably the first letter of the first word, and use that place for every password you make.
- Pick one place to put a digit (probably the end), and one place to put a punctuation mark (probably after the digit). Use the same digit, punctuation mark and place for every password you make, so you don’t have to remember what and where you picked.
- Only use punctuation that is accepted on almost all web sites, e.g. the top row of your keyboard, ~!@#$%^&*)_+-= so you don’t have to remember which sites use which punctuation mark.
- If you’re not certain whether to use singular or plural (“was it penguin or penguins who bowed in the cafe?”) always use singular (the simpler word). Or, move slightly ahead or back in time, so it is clear (“how many penguins gave Mary a kiss?” You do remember, don’t you, even after the years since you watched Mary Poppins? Go watch again…)
- Any time remembering it “wrong” will be highly memorable, go with it. If you can vividly see in your imagination that in “The Matrix”, Neo did a cartwheel and grabbed a Howitzer off the floor (instead of a machine gun), excellent.
- Any time a more complex or less common word would be memorable, use it. Know your birds? Use the actual type of robin Mary sang to, instead of “bird”.
Some more practice making stories from mini-scenes (but soon quit practicing, pick a movie you love, change your password keeper’s master password!). This is quite a curtain call:
What does Neo do?