passwords: the weakest link in wordpress security
DESCRIPTION
Slides from CloudFlare's webinar on WordPress security with Clef's CEO Brennen Byrne.TRANSCRIPT
![Page 1: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/1.jpg)
passwordsthe weakest link in wordpress security
@brennenbyrne
![Page 2: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/2.jpg)
this talk is about
security
@brennenbyrne
![Page 3: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/3.jpg)
a lot of people think security is
hard
@brennenbyrne
![Page 4: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/4.jpg)
a lot of people think security is
hard
confusing
@brennenbyrne
![Page 5: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/5.jpg)
a lot of people think security is
hard
confusingcomplicated
@brennenbyrne
![Page 6: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/6.jpg)
a lot of people think security is
hard
confusingcomplicated
technical
impossible
frustratingnot for you
painful
infuriating
@brennenbyrne
![Page 7: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/7.jpg)
but we all know that it’s
important
@brennenbyrne
![Page 8: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/8.jpg)
but we all know that it’s
important
and my job is to make it
easy
@brennenbyrne
![Page 9: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/9.jpg)
hello, my name is brennen (@brennenbyrne)
@brennenbyrne
![Page 10: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/10.jpg)
I’m a founder of Clef (getclef.com)
@brennenbyrne
![Page 11: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/11.jpg)
for the next 30 mins
★ zombie army
★ two step (logins)
★ ssl
★password rot
★what you can do
@brennenbyrne
![Page 12: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/12.jpg)
getclef.com/cloudflare-webinar
getclef.com/wordpress-security-checklist
slides
@brennenbyrne
![Page 13: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/13.jpg)
passwords“The weakest link in the security of anything
you do online is your password.”
@brennenbyrne
—vip.wordpress.com/security
![Page 14: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/14.jpg)
it’s time to talk about the zombie
army.
@brennenbyrne
![Page 15: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/15.jpg)
the old way to break a password
@brennenbyrne
![Page 16: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/16.jpg)
2. guess common passwords
1. virus that watches you type
3. “advanced interrogation”
@brennenbyrne
![Page 17: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/17.jpg)
in order to defend myself
@brennenbyrne
![Page 18: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/18.jpg)
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne
![Page 19: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/19.jpg)
but attackers have gotten smarter
@brennenbyrne
![Page 20: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/20.jpg)
zombie army
@brennenbyrne
![Page 21: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/21.jpg)
the zombie army is what happens to you when other people download viruses
@brennenbyrne
![Page 22: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/22.jpg)
their computers become
zombies
@brennenbyrne
![Page 23: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/23.jpg)
sites infect visitors’ computers
zombies attack sites
visitors join zombie army
bigger army attacks more sites
@brennenbyrne
![Page 24: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/24.jpg)
zombies swarm and attack your site from millions of different computers
@brennenbyrne
![Page 25: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/25.jpg)
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne
![Page 26: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/26.jpg)
the zombie army is attackers’ response to our better defenses
as wordpress becomes a better target the incentives for breaking it rise
@brennenbyrne
![Page 27: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/27.jpg)
two step
@brennenbyrne
![Page 28: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/28.jpg)
something you
something you
@brennenbyrne
the steps
know
have
something you are
![Page 29: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/29.jpg)
the old way of doing this meant: !
1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !
(google authenticator)
@brennenbyrne
![Page 30: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/30.jpg)
@brennenbyrne
clef, the plugin i work on, skips the password to make two-factor much easier.
![Page 31: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/31.jpg)
ssl
@brennenbyrne
![Page 32: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/32.jpg)
@brennenbyrne
!
ssl = safe safe lock
*it actually stands for “secure socket layer”
![Page 33: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/33.jpg)
without ssl, everything is public
@brennenbyrne
only do stuff you wouldn’t mind standing on a table
and yelling about in a coffee shop
i.e. no passwords or credit cards
![Page 34: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/34.jpg)
password rot
@brennenbyrne
![Page 35: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/35.jpg)
@brennenbyrne
your password is strongest on the day you set it
![Page 36: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/36.jpg)
2. more computer power available
1. more time for attacker to crack
3. greater chance you’ve reused
@brennenbyrne
![Page 37: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/37.jpg)
passwords pit our memories against
computer brute force — we are going to lose
@brennenbyrne
![Page 38: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/38.jpg)
what to do
@brennenbyrne
![Page 39: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/39.jpg)
@brennenbyrne
one weird trick to protect your site from all attacks
![Page 40: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/40.jpg)
@brennenbyrne
delete it.
![Page 41: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/41.jpg)
use two factor for admin
@brennenbyrne
otherwise
install bruteprotect and cloak
read wordpress security checklistgetclef.com/wordpress-security-checklist
![Page 42: Passwords: the weakest link in WordPress security](https://reader033.vdocument.in/reader033/viewer/2022051817/54811498b4af9f810f8b4670/html5/thumbnails/42.jpg)
getclef.com/wordpress-security-checklist
slides
@brennenbyrne
getclef.com/cloudflare-webinar