Bad Security 101   5 comments

WordPress now checks how “strong” your password is.

That’s great, fellas, but you’re shooting in the dark. The fact that your administrative login is accomplished over standard http (ergo transporting usernames/passwords over the internet in plaintext) means that you’re just making the end user remember something more complicated while the real threat probably isn’t someone guessing passwords, it’s someone capturing passwords by sniffing the network.

If you want better security, asking people to remember stronger passwords only makes sense if you’re going to take steps to protect those passwords.

Posted June 21, 2007 by padraic2112 in security

5 responses to “Bad Security 101

Subscribe to comments with RSS.

  1. Actually in our experience weak passwords is a much bigger problem.

  2. Matt ->
    I think we’re coming at this discussion from two different standpoints. If you’re trying to solve a historical problem (people’s passwords being guessed or brute-forced), then I understand what you’re trying to do, and why “make them choose better passwords” is a step in the right direction.
    However, you’re looking at it from WordPress’s position. “WordPress has this historical problem. We can patch over this historical problem by doing this”. You’re not looking at it from the user’s standpoint.
    Here’s one of the problems, from the user standpoint. People have a limited capacity for remembering passwords. Once you start telling people to choose stronger passwords, they are going to start password reuse. You can tell them over and over that this is a bad idea; they’re going to do it anyway. Since they can’t remember more than a few “good” passwords, they’re going to start using the same password for their wordpress account that they use for their bank website, or 401k web interface, etc.
    Now, this doesn’t strictly speaking affect wordpress, but it certainly affects wordpress users.
    Joe Average wordpress user logs into his account on a wireless network at an internet cafe. His username and password are sniffed by Bill The Hacker sitting next to him. Now, Bill doesn’t care one whit for Joe’s wordpress account; he’s not going to use that username and password to post messages on Joe’s blog. However, Bill’s packet sniffer also shows https traffic going between Joe’s laptop and Enterprising Bill takes a second look at the captured username and password for Joe’s wordpress account and sees that Joe has [username: javerage, password: %!wY00-{/p]. Bill, being a savvy hacker type, now has a much better shot at hacking Joe’s bank account, because there is a pretty high probability that Joe’s bank account password is also his wordpress password.
    If you want to prove to yourself how easy this is, as an intellectual exercise download a packet sniffer and go log into a free wifi spot. You will be astonished how easily you can gather a large quantity of usernames and passwords.
    Put another way, weak passwords may be a bigger problem for wordpress, but sniffed passwords are a much, much bigger problem for the users, especially when they are “good” passwords
    P.S. – I really like your blogging software, though.

  3. Check out a dissertation that I directed. The author’s name is Danuvasin Charoen.

  4. Pingback: Password Storage « Pat’s Daily Grind

  5. Pingback: Horray! WordPress Sucks Less! « Pat’s Daily Grind

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: