Password Strength cartoon from xkcd.com/936/

Strong Passwords for WordPress and Your Password Keeper

More security steps you can take, beyond good passwords: WordPress Security for People Without Technical WordPress Knowledge.

Password Security on Your WordPress Site and the Internet

I’m going to cover:

  • Why you must use strong passwords, and a different password for each site.
  • Choosing and using a Password Keeper to save every password you use;
  • How to store other secure information such as bank account numbers and ;
  • How easily most passwords are guessed by hacker software, since the rules people use for making passwords are thoroughly known by hackers.

What I Don’t Cover Here

How to make a truly secure password for your password keeper master password, and for the (very few) passwords you type frequently. This must be hard for hackers to guess, easy for you to remember and easy for you to type. For this, see my page on Making a Master Password for your Password Keeper.

Must Have Strong Passwords for Every Website

You must use very strong passwords on your WordPress site. You should use very strong passwords on every web site you use.

WordPress encrypts your passwords, and the encryption is strong enough hackers can’t break the encryption. But hackers know the way we’ve all been taught to make “secure” passwords, and that lets them automate scripts that guess your passwords.

If hackers have stolen a copy of the site database (for example, an un-encrypted backup), or have hacked access to the database, they can test literally billions of password-guesses per second, using free widely-available software.

Hackers have gotten the username and password for every user of several large websites. If you are using one of the 100 million most common passwords, hackers just have to compare the encrypted form of the password against the encrypted entries in their password list — very easy for computers to do.

If hackers can test passwords using the standard WordPress login form, and you haven’t restricted that, they can test thousands of passwords in a couple of hours. (To restrict login attempts, install a WordPress security plugin such as WordFence or iThemes Security. Most WordPress security plugins have the feature to restrict login attempts.)

Making a Secure Password

The rules we’ve been taught for years that should make a secure password, aren’t good enough. Those rules actually limit the possible passwords a hacker’s software would have to check. For example, the “word plus number plus punctuation” rule makes a password that is basically as easy to guess as a three-letter password; the word is in the dictionary, plus about 100 characters for all letters and punctuation, twice).

Hackers know all the “substitute a number instead of a letter” rules, such as 3 for m or 0 for o (zero for oh)”, and that password is easier for computers to guess than it is for you to remember.

One way of making passwords that is actually secure, but you’ll never be able to remember, is use a password generator. Use the password generator in a password keeping software, and all you have to remember is the “master password” for the password keeper.

The password keeper software will remember all your user names, account numbers, and passwords, plus any other information you keep as notes for that site.

Password Keepers

“A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.”

http://thehackernews.com/2016/07/best-password-manager.html

I’ll give you my recommendation for which password keeper to use. But first, it’s important that you understand how to select a password manager.

Beyond storing user names and passwords, you can also use your password keeper for storing “secure notes” such as bank account numbers, credit cards, library cards, any account numbers, serial numbers, registration numbers, router configuration details, etc. Many password keepers have fields specially for these uses, which is better than only having a “notes” area.

You can only download software that is so obviously about security, from a site that has technical strength, has industry-leading anti-virus software, has excellent reviews, has a reputation to maintain.

Never download any software because there was a pretty advertisement about it on _____ (fill in the social media site). If you use a hacker’s program as your password keeper, guess what they’ll do…

For password storage, you also must select a program that has 256-bit (or stronger) open source encryption. The more security experts who have had a chance to review the software for weaknesses the better. Proprietary software doesn’t get as many eyes checking for problems; companies are proud of their software, and look at how good it is, not where is it weak.

You also need a program that you have on your computer, and your password keeper has to be able to work from your thumb drive, and/or your tablet or phone. A web based solution is okay if you synchronize to them or can easily backup the data to your computer in an encrypted format (e.g. a .zip file with a password); you can’t risk their business suddenly closing with all your passwords gone.

Another feature to look for is a standard method for exporting your information, for example an XML or CSV text file, should you ever want to change to another program. But know this export is an insecure file; make backups of your encrypted password file not the un-encrypted export.

This is not a complete list of good password keepers, but these work very well, and are trusted sources:

LastPass

The password manager I am currently using is LastPass, free for all devices (but free is either for desktop or for mobile, not both).

LastPass is easier to use than KeePass (which I used to use), in several small but important ways. It notices when you visit a site, and offers to fill in the login form for you. (Or you can configure it, per site, to let you pick which login name to use, for example I host websites for several clients.) It notices when you log into a site that you haven’t added yet to LastPass, and offers to save the login information into LastPass. It also has fields for some common information, for example credit cards and WiFi credentials.

The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too. Only the encrypted data is ever sent across the Internet.

They also have a paid version, with additional features. The most interesting paid feature is much better sharing of passwords, for example with a spouse. With the free version, you can specify single password entries to share with a specific person; you can even specify whether they can see the shared password or only use LastPass to fill it in when they log into a site.

LastPass works on Windows, OS/X, Linux, iOS, and Android.

There are LastPass browser extensions for Chrome and for Firefox. Definitely install these, they make using LastPass easier.

Other Windows Password Keepers

On Windows, I download almost all my shareware and open source software from CNET or SourceForge. For iOS and Android, use the main Apple and Google libraries.

KeePass

If you want a password keeper that is completely on your computer (doesn’t talk to some company’s computer for storage), look at KeePass and also get the portable version (runs off your thumb drive). (Unless you have a strong reason to use the original version, which is still being maintained, get the KeePass 2.x edition.) The main site is on SourceForge (downloads here), and the KeePass web site is excellent for learning what makes good password software, even if their software isn’t what you use. I used to use KeePass, before switching to LastPass. KeePass has versions or ports for Android, OS/X with Mono, iPhone, Linux. Some of the key features:

  • KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. For example, AES became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
  • The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
  • Your computer’s clipboard is cleared in a few seconds, your un-encrypted password isn’t left in memory.

1Password is also excellent, top security, more fields for storing special information than KeePass (KeePass only has title, user name, password, URL, and notes fields). 1Password has the ability to share a group of passwords with other people, so you have access to the password (or other secure data such as account numbers); for example, as you are managing your elderly parent’s accounts you have all their vital account numbers and passwords, before they forget them.

OS/X Password Keepers

On OS/X: Either use 1Password or LastPass, or you can use KeePass with Mono.

Many people simply use Keychain http://www.macworld.com/article/2013756/how-to-manage-passwords-with-keychain-access.html . But it doesn’t give you the structured fields for storing other information.

Keychain easily synchronizes across your devices if they are connected to iCloud, but I know many people where they’ve entered passwords on one device and then been unable to login from their other devices, and of course don’t find out for long enough they don’t know which device has the correct password. Keychain doesn’t have the ability to share certain passwords, for example with family members. Keychain is great for some things (for example saving software licenses) but don’t use it as a password keeper.

Linux Password Keepers

On Linux Mint, I use LastPass. It also works on Kali Linux.

There are several password keepers available via the Software Manager; check what they are designed for, several are “on your computer” only, don’t save to a central computer so you can access your passwords on your other devices.

You might be satisfied simply using the Chrome or Firefox browser extensions of whichever password keeper you use, if Linux isn’t your primary computer.

Exceptions to Using Password Keepers for Security

The only passwords you would ever casually share with someone should be your WiFi password. If your WiFi hardware supports it, use the “guest” account for visitors. Read how to make secure passwords for WiFi you can type.

The only passwords you should frequently type are the ones for your computer and for your password keeper, and your bank card pin. All others should be pasted from your password keeper.

Your printers and other Internet-enabled (or in-house WiFi enabled) devices will also need the WiFi password typed in. Type it in once, the device remembers the settings, and you don’t type it in again until you change the password.

Tip: find out if the device can use a Bluetooth keyboard; or organize the password into letters on the same “virtual keyboard”, e.g. numbers all together, punctuation all together, uppercase letters all together.

Sharing Passwords

You should use your password keeper to share passwords for bank accounts or other financial institutions, where you share the account. For most people, this would only be your spouse or parents, or a business partner. (If possible, make a separate login for each person. But if not, most good password keeper software can securely share passwords you specify with a person.)

You should share your password keeper’s master password with the executor of your estate, or the person you have given power of attorney, the person who would need to access your accounts if you are unable to.

If you die, and you have made someone able to access your account information, it will be much easier for them to finalize your accounts, cancel your subscriptions, turn off your repeating payments.

For technical support, make them a temporary user name, and let the software email them a password update link. It is a bad idea to ever send a password by email or text message or phone, too easy for email to be intercepted (and hackers can program searches of email traffic for “here’s your password” type message.

When the technical support person is done, definitely disable their access completely or change the password.

Basics of Password Security

For each site, use the longest password the site allows, up to maybe 60 characters. Your password keeper will let you copy/paste the password, so you don’t have to ever type it. (As long as it is a random computer-generated password, 60 characters is “lifetime strong”.)

Never use a password on more than one site. If someone gets your password at your favorite pizza place, and orders a pizza “for carry out” on your card, you don’t want them also able to use your video streaming account, right? LastPass will even warn you to change passwords if it is used on more than one site.

Whatever password keeper you use, keep the master password with someone trusted (for example your attorney keeping your will, or the main person who will manage your estate) in case of your death or other inability to type your password. See The 1Password Emergency Kit: Version 3.0 for how to do this.

Old Rules to Make “Secure” Passwords Are Too Easy to Guess

You have to remember your password keeper’s master password. Forget it and all your other passwords are encrypted in a way that can not be broken (unless of course your master password is so weak it can be guessed by password cracking software).

But the rules we’ve been told by technical support people for decades for making passwords are not secure any more. The main reason is simple: there is software that can make billions of guesses of your password per minute, and hackers using it know all the “clever” rules people come up with for making passwords.

Yes, if the software had to try every combination of letters, numbers, punctuation in an 8-character password (26 lower case letters, 26 upper case letters, 10 digits, about 32 punctuation marks) that’s 6,095,689,385,410,816 combinations. So your password generator can generate a password that is even 8 characters long, that would take a very long time to break, and many sites will allow 40 characters or longer (use the longest the site will take).

But if you need to make a password that you can remember, those ways of making a “secure but memorable” password are all known, and even 8 character passwords (and often longer) can be guessed in under a day. You need a password that can’t be guessed during your lifetime!

Don’t believe it? Maybe you will when you read this…

https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ says “In March [2013], readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes [encrypted with MD5 but not salted]. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do… Even the least successful cracker of our trio — who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process — was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them… Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards.”

(oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in that article used.)

https://arstechnica.com/security/2012/08/passwords-under-assault/ “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them.” [Notice the date, that’s with an “ancient” 2012 computer.]

That 8 billion per second would be if someone stole a backup of the website’s database, for example. If they were going to try logging in to WordPress, perhaps 100-200 attempts per second would be easy, from a single computer. How many computers working together in a hacker network could attack your site at once, if you don’t have software limiting the number of attempts?

I’ve seen over 100,000 password guesses in a night, from about 10 computers, about a day after turning off protections on a testing site with a very good password.

The comments on the original correct horse battery staple page point out that if all four words you pick are in the 5,000 most popular English words, then you should calculate the time it takes the password software to go through 625,000,000,000,000 (5000 x 5000 x 5000 x 5000) combinations.

There are 60 seconds * 60 minutes * 24 hours = 86,400 seconds/day. At 8 billion password guesses per second, they have your “four common words” password in about 1 day, using a “wimpy” 2012 computer.

Making Secure Passwords You Can Remember

Obviously one way to make your password (pass phrase) more secure is use at least one word that is not in that tiny dictionary of most popular words. Engineering, scientific, medical, or any other more obscure words will do; but they have to be easy for you to remember, and remember how to spell. (Or, remember consistently how to mis-spell). Common foreign language words are also in hacker dictionaries, but less common ones are good to use; pick a language that is not common in the websites you use.

Another way to make your password more secure is use 6-8 words. But remembering 4 random words is hard enough for most people. (Tip: get one of the associative memory courses, such as MegaMemory.) If you have a system memorized already, okay. If you have the type of memory where you know every move of every chess game Kasparov ever played, good for you, use it. But if you don’t have a system, there is a good way to remember a short phrase.

[adinserter block=”2″ ]

Making a Memorable Secure Password Phrase

You need a very secure password as the master password for your password keeper software, for your computer login, and for the very few sites that you log into often.

See my post on how to make a good password phrase for your password keeper, it’s easier than you might think.


Posted

in

,

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.