More security steps you can take, beyond good passwords: WordPress Security for People Without Technical WordPress Knowledge.
Password Security on Your WordPress Site and the Internet
I’m going to cover:
- Choosing and using a Password Keeper to save every password you use;
- How to store other secure information such as bank account numbers and ;
- How to make a truly secure password for your password keeper master password, and for the few passwords you type frequently. This must be hard for hackers to guess, easy for you to remember and easy for you to type;
- How easily most passwords are guessed by hacker software, since the rules people use for making passwords are thoroughly known by hackers.
You must use very strong passwords on your WordPress site. You should use very strong passwords on every web site you use.
WordPress encrypts your passwords, and the encryption is strong enough hackers can’t break the encryption. But hackers know the way we’ve all been taught to make “secure” passwords, and that lets them automate scripts that guess your passwords.
If hackers have stolen a copy of the site database (for example, an un-encrypted backup), or have hacked access to the database, they can test literally billions of password-guesses per second, using free widely-available software.
If hackers can test passwords using the standard WordPress login form, and you haven’t restricted that, they can test thousands of passwords in a couple of hours. (Install a WordPress security plugin such as WordFence or iThemes Security. Most WordPress security plugins have the feature to restrict login attempts.)
One way of making passwords that is actually secure, but you’ll never be able to remember, is use a password generator. Use the password generator in a password keeping software, and all you have to remember is the “master” password for the password keeper. The software will remember all your user names, account numbers, and passwords, plus any other information you keep as notes for that site.
“A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.”
I’ll give you my recommendation for which password keeper to use. But first, it’s important that you understand how to select a password manager.
Beyond storing user names and passwords, you can also use your password keeper for storing “secure notes” such as bank account numbers, credit cards, library cards, any account numbers, serial numbers, registration numbers, router configuration details, etc.
You can only download software that is so obviously about security, from a site that has technical strength, has industry-leading anti-virus software, has excellent reviews, has a reputation to maintain.
No downloading any software because there was a pretty advertisement about it on _____ (fill in the social media site). If you use a hacker’s program as your password keeper, guess what they’ll do…
For password storage, you also must select a program that has 256-bit (or stronger) open source encryption. The more security experts who have had a chance to review the software for weaknesses the better. Proprietary software doesn’t get as many eyes checking for problems; companies are proud of their software, and look at how good it is, not where is it weak.
You also need a program that you have on your computer, and your password keeper has to be able to work from your thumb drive, and/or your tablet or phone. A web based solution is okay if you synchronize to them; you can’t risk their business suddenly closing with all your passwords gone.
Another feature to look for is a standard method for exporting your information, for example an XML or CSV text file, should you ever want to change to another program. But know this export is an insecure file; make backups using your encrypted password file not the un-encrypted export.
This is not a complete list of good password keepers, but these work very well, and are trusted sources:
The password manager I am currently using is LastPass, free for all devices. I used to use KeePass.
LastPass is easier to use than KeePass, in several small but important ways. It notices when you visit a site, and offers to fill in the login form for you. It notices when you log into a site that you haven’t added yet to LasPass, and offers to save the login information into LastPass. It also has fields for some common information, for example credit cards and WiFi credentials.
They also have a paid version, with additional features. The most interesting paid feature is much better sharing of passwords, for example with a spouse. With the free version, you can specify single password entries to share with a specific person; you can even specify whether they can see the shared password or only use LastPass to fill it in when they log into a site.
LastPass works on Windows, OS/X, Linux, iOS, and Android
Other Password Keepers
On Windows, I download almost all my shareware and open source software from CNET or SourceForge. For iOS and Andrioid, use the main Apple and Google libraries.
Get KeePass and also get the portable version (runs off your thumb drive). (Unless you have a strong reason to use the original version, which is still being maintained, get the KeePass 2.x edition.) The main site is on SourceForge (downloads here), and the KeePass web site is excellent for learning what makes good password software, even if their software isn’t what you use, e.g. you use OS/X but don’t have Mono. Are versions or ports for Android, OS/X with Mono, iPhone, Linux. Some of the key features:
- KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. For example, AES became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
- The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
- Your computer’s clipboard is cleared in a few seconds, your un-encrypted password isn’t left in memory.
1Password is also excellent, top security, more fields for storing special information than KeePass (KeePass only has title, user name, password, URL, and notes fields). 1Password has the ability to share a group of passwords with other people, so you have access to the password (or other secure data such as account numbers); for example, as you are managing your elderly parent’s accounts you have all their vital account numbers and passwords, before they forget them.
On OS/X: Either use 1Password, LastPass, KeePass, or Keychain http://www.macworld.com/article/2013756/how-to-manage-passwords-with-keychain-access.html .
Exceptions to Using Password Keepers for Security
The only passwords you would ever casually share with someone should be your WiFi password. If your WiFi hardware supports it, use the “guest” account for visitors. Read how to make secure passwords for WiFi you can type.
The only passwords you should frequently type, instead of using your password keeper, are the ones for your computer and for your password keeper, and your credit card pin.
Your printers and other Internet-enabled (or in-house WiFi enabled) devices will also need the WiFi password typed in. Type it in once, the device remembers the settings, and you don’t type it in again until you change the password.
You should use your password keeper to share passwords for bank accounts or other financial institutions, where you share the account. For most people, this would only be your spouse or parents, or a business partner. (If possible, make a separate login for each person. But if not, most good password keeper software can securely share passwords you specify with a person.)
You should share your password keeper’s master password with the executor of your estate, or the person you have given power of attorney, the person who would need to access your accounts if you are unable to.
If you make someone able to access your account information, it will be much easier for them to finalize your accounts, cancel your subscriptions, turn off your repeating payments.
For technical support, make them a temporary user name, and let the software email them a password update link. It is a bad idea to ever send a password by email or text message or phone.
Reviews of Password Managers
Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise says “…majority of Internet users are vulnerable to cyber attacks, not because they aren’t using any best antivirus software or other security measures, but because they are using weak passwords to secure their online accounts.” Gives some recommended password keepers, for each of those devices, as of July 2016.
Basics of Password Security
For each site, use the longest password the site allows, up to maybe 60 characters. Your password keeper will let you copy/paste the password, so you don’t have to ever type it. (As long as it is a random computer-generated password, 60 characters is “lifetime strong”.)
Never use a password on more than one site. If someone gets your password at your favorite pizza place, and orders a pizza “for carry out” on your card, you don’t want them also able to use your video streaming account, right? LastPass will even warn you to change passwords if it is used on more than one site.
Whatever password keeper you use, keep the master password with someone trusted (for example your attorney keeping your will, or the main person who will manage your estate) in case of your death or other inability to type your password. See The 1Password Emergency Kit: Version 3.0 for how to do this.
Old Rules to Make “Secure” Passwords Are Too Easy to Guess
You have to remember your password keeper’s master password. Forget it and all your other passwords are encrypted in a way that can not be broken (unless of course your master password is so weak it can be guessed by password cracking software).
But the rules we’ve been told by technical support people for decades for making passwords are not secure any more. The main reason is simple: there is software that can make billions of guesses of your password per minute, and hackers using it know all the “clever” rules people come up with for making passwords.
Yes, if the software had to try every combination of letters, numbers, punctuation in an 8-character password (26 lower case letters, 26 upper case letters, 10 digits, about 32 punctuation marks) that’s 6,095,689,385,410,816 combinations. So your password generator can generate a password that even 8 characters long would take a very long time to break, and many sites will allow 40 characters or longer (use the longest the site will take).
But if you need to make a password that you can remember, those ways of making a “secure but memorable” password are all known, and even 8 character passwords (and often longer) can be guessed in under a day. You need a password that can’t be guessed during your lifetime!
Don’t believe it? Maybe you will when you read this…
https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ says “In March , readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes [encrypted with MD5 but not salted]. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do… Even the least successful cracker of our trio — who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process — was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them… Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards.”
(oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in that article used.)
https://arstechnica.com/security/2012/08/passwords-under-assault/ “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them.” [Notice the date, that’s with an “ancient” 2012 computer.]
That 8 billion per second would be if someone stole a backup of your database, for example. If they were going to try logging in to WordPress, perhaps 100-200 attempts per second would be easy, from a single computer. How many computers working together in a hacker network could attack your site at once, if you don’t have software limiting the number of attempts? I’ve seen over 100,000 in a night, from about 10 computers.
Making Secure Passwords You Can Remember
The comments on the original correct horse battery staple page point out that if all four words you pick are in the 5,000 most popular English words, then you should calculate the time it takes the password software to go through 625,000,000,000,000 (5000 x 5000 x 5000 x 5000) combinations.
60 seconds * 60 minutes * 24 hours = 86,400 seconds/day. At 8 billion per second, they have your “four common words” password in about 1 day, using a “wimpy” 4 year old computer (now 2016).
Obviously one way to make your password (pass phrase) more secure is use at least one word that is not in that tiny dictionary of most popular words. Engineering, scientific, medical, or any other more obscure words will do; but they have to be easy for you to remember, and remember how to spell. (Or, remember consistently how to mis-spell). Common foreign language words are also in hacker dictionaries, but less common ones are good to use; pick a language that is not common in the websites you use.
Another way to make your password more secure is use 6-8 words. But remembering 4 random words is hard enough for most people. (Tip: get one of the associative memory courses, such as MegaMemory.) If you have a system memorized already, okay. If you have the type of memory where you know every move of every chess game Kasparov ever played, good for you, use it. But if you don’t, here’s how.
Making a Memorable Secure Password Phrase
You need a very secure password for your master password for your password keeper software, for your computer login, and for the very few sites that you log into often. (The “editor” password for your WordPress site, but not the administrator password, might be the only password you type.) These passwords have to be very easy to remember and easy for you to type.
I think the proper person for teaching this task is Mary Poppins:
Now, pick a “mini-scene”, for example the robin or the mirror, and describe it in 6-8 words. For this mini-scene, perhaps “robin feathering fly mary whistle duet” (a robin feathering his nest flies to Mary Poppins and they whistle a duet) but don’t use that, make your own story. As long as you pick a vivid, memorable mini-scene, the “story” you make up will be completely memorable to you, but not easy for anyone to guess, even if they know what movie you love.
- Ignore any 1-3 letter words unless important.
- Don’t take a lyric or famous quote, as those could be in the “dictionary” of some hackers. “spoonful of sugar” is a lousy password, “spoonful of sugar to help the medicine go down” is so famous it’s not much better than “spoonful1964”
- No punctuation between words (spaces aren’t allowed on some sites, and punctuation are harder to type); or if you must, use the same common punctuation between each word; no having to remember which one you used.
- Pick one place to put a capital letter, probably the first letter of the first word, and use that place for every password you make.
- Pick one place to put a digit (probably the end), and one place to put a punctuation mark (probably after the digit). Use the same digit, punctuation mark and place for every password you make, so you don’t have to remember what and where you picked.
- Only use punctuation that is accepted on almost all web sites, e.g. the top row of your keyboard, ~!@#$%^&*)_+-= so you don’t have to remember which sites use which punctuation mark.
- If you’re not certain whether to use singular or plural (“was it penguin or penguins who bowed in the cafe?”) always use singular (the simpler word). Or, move slightly ahead or back in time, so it is clear (“how many penguins gave Mary a kiss?” You do remember, don’t you, even after the years since you watched Mary Poppins? Go watch again…)
- Any time remembering it “wrong” will be highly memorable, go with it. If you can vividly see in your imagination that in “The Matrix”, Neo did a cartwheel and grabbed a Howitzer off the floor (instead of a machine gun), excellent.
- Any time a more complex or less common word would be memorable, use it. Know your birds? Use the actual type of robin Mary sang to, instead of “bird”.
Some more practice making stories from mini-scenes (but soon quit practicing, pick a movie you love, change your password keeper’s master password!). This is quite a curtain call:
What does Neo do?