passwords: the weakest link in wordpress security

passwordsthe weakest link in wordpress security

@brennenbyrne#wcchi

this talk is about

security

@brennenbyrne#wcchi

a lot of people think security is

hard

@brennenbyrne#wcchi

a lot of people think security is

hard

confusing

@brennenbyrne#wcchi

a lot of people think security is

hard

confusingcomplicated

@brennenbyrne#wcchi

a lot of people think security is

hard

confusingcomplicated

technical

impossible

frustratingnot for you

painful

infuriating

@brennenbyrne#wcchi

but we all know that it’s

important

@brennenbyrne#wcchi

but we all know that it’s

important

and my job is to make it

easy

@brennenbyrne#wcchi

hello, my name is brennen (@brennenbyrne)

@brennenbyrne#wcchi

I’m a founder of Clef (getclef.com)

@brennenbyrne#wcchi

for the next 30 mins

★ zombie army

★ two step (logins)

★ ssl

★password rot

★what you can do

@brennenbyrne#wcchi

getclef.com/wcchi2014

getclef.com/wordpress-security-checklist

slides

@brennenbyrne#wcchi

passwords“The weakest link in the security of anything

you do online is your password.”

@brennenbyrne

—vip.wordpress.com/security

#wcchi

heartbleed jetpack

http cookies

@brennenbyrne#wcchi

it’s time to talk about the zombie

army.

@brennenbyrne#wcchi

the old way to break a password

@brennenbyrne#wcchi

2. guess common passwords

1. virus that watches you type

3. “advanced interrogation”

@brennenbyrne#wcchi

in order to defend myself

@brennenbyrne#wcchi

2. limit wrong guesses

1. don’t download viruses

3. don’t anger enemy nation-states

@brennenbyrne#wcchi

but attackers have gotten smarter

@brennenbyrne#wcchi

zombie army

@brennenbyrne#wcchi

the zombie army is what happens to you when other people download viruses

@brennenbyrne#wcchi

their computers become

zombies

@brennenbyrne#wcchi

sites infect visitors’ computers

zombies attack sites

visitors join zombie army

bigger army attacks more sites

@brennenbyrne#wcchi

zombies swarm and attack your site from millions of different computers

@brennenbyrne#wcchi

2. limit wrong guesses

1. don’t download viruses

3. don’t anger enemy nation-states

@brennenbyrne#wcchi

the zombie army is attackers’ response to our better defenses

as wordpress becomes a better target the incentives for breaking it rise

@brennenbyrne#wcchi

two step

@brennenbyrne#wcchi

something you

@brennenbyrne

the steps

know

#wcchi

something you

something you

@brennenbyrne

the steps

know

have

#wcchi

something you

@brennenbyrne

the steps

know

something you have

something you are

#wcchi

@brennenbyrne

the only thing better than one factor of authentication is…

two factors

#wcchi

the old way of doing this meant: !

1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !

(google authenticator)

@brennenbyrne#wcchi

@brennenbyrne

clef, the plugin i work on, skips the password to make two-factor much easier.

#wcchi

ssl

@brennenbyrne#wcchi

@brennenbyrne

s = safe ss = safe safe

ssl = safe safe lock

it actually stands for “secure socket layer”

#wcchi

@brennenbyrne

s = safe ss = safe safe

ssl = safe safe lock

it actually stands for “secure socket layer”

#wcchi

@brennenbyrne

s = safe ss = safe safe

ssl = safe safe lock

*it actually stands for “secure socket layer”

#wcchi

@brennenbyrne

s = safe ss = safe safe

ssl = safe safe lock

*it actually stands for “secure socket layer”

#wcchi

without ssl, everything is public

@brennenbyrne

only do stuff you wouldn’t mind standing on a table

and yelling about in a coffee shop

i.e. no passwords or credit cards

#wcchi

password rot

@brennenbyrne#wcchi

@brennenbyrne

your password is strongest on the day you set it

#wcchi

@brennenbyrne

your password is strongest on the day you set it

it gets weaker every day after that

#wcchi

2. more computer power available

1. more time for attacker to crack

3. greater chance you’ve reused

@brennenbyrne#wcchi

passwords pit our memories against

computer brute force — we are going to lose

@brennenbyrne#wcchi

what to do

@brennenbyrne#wcchi

@brennenbyrne

one weird trick to protect your site from all attacks

#wcchi

@brennenbyrne

delete it.

#wcchi

use two factor for admin

@brennenbyrne

otherwise

install bruteprotect and cloak

read wordpress security checklistgetclef.com/wordpress-security-checklist

#wcchi

getclef.com/wcchi2014

getclef.com/wordpress-security-checklist

slides

@brennenbyrne#wcchi