Passwords: the weakest link in WordPress security
-
Upload
jessepollak -
Category
Technology
-
view
279 -
download
1
description
Transcript of Passwords: the weakest link in WordPress security
p4sSw0rd5:the weakest link in wordpress security
@brennenbyrne
this talk is about
security
@brennenbyrne
a lot of people think security is
hard
@brennenbyrne
a lot of people think security is
hard
confusing
@brennenbyrne
a lot of people think security is
hard
confusingcomplicated
@brennenbyrne
a lot of people think security is
hard
confusingcomplicated
technical
impossible
frustratingnot for you
painful
infuriating
@brennenbyrne
but we all know that it’s
important
@brennenbyrne
but we all know that it’s
important
and my job is to make it
easy
@brennenbyrne
hello, my name is brennen (@brennenbyrne)
@brennenbyrne
I’m a founder of Clef (getclef.com)
@brennenbyrne
for the next 30 mins
★botnets
★ two-factor authentication
★ ssl
★password rot
★what you can do
@brennenbyrne
getclef.com/wcmpls2014
getclef.com/wordpress-security-checklist
slides
@brennenbyrne
p4sSw0rd5:the weakest link in wordpress security
@brennenbyrne
I don’t mean to scare you —
but there is a zombie army coming for
your WordPress site.
@brennenbyrne
the old way to break a password
@brennenbyrne
guess common passwords
virus that watches you type
“advanced interrogation”
@brennenbyrne
in order to defend myself
@brennenbyrne
limit wrong guesses
don’t download viruses
don’t anger enemy nation-states
@brennenbyrne
but attackers have gotten smarter
@brennenbyrne
botnets
@brennenbyrne
botnets are what happens to you when other people download viruses
@brennenbyrne
their computers become
zombies
@brennenbyrne
sites infect visitors’ computers
botnets attack sites
visitors join botnet
bigger botnet attacks more sites
@brennenbyrne
botnets swarm and attack your site from millions of different computers
@brennenbyrne
ban IPs that are guessing wrong
don’t download viruses
don’t piss off enemy nation-states
@brennenbyrne
botnets are the attackers’ response to our better defenses
as wordpress becomes a better target the incentives for breaking it rise
@brennenbyrne
two-factor
@brennenbyrne
something you
@brennenbyrne
the factors
know
something you
something you
@brennenbyrne
the factors
know
have
something you
@brennenbyrne
the factors
know
something you have
something you are
@brennenbyrne
the only thing better than one factor of authentication is…
two factors
the old way of doing this meant: !
1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !
(google authenticator)
@brennenbyrne
@brennenbyrne
clef, the plugin i work on, skips the password to make two-factor much easier.
ssl
@brennenbyrne
if you want to learn more about this, go see jesse’s crypto-101 at 3
@brennenbyrne
@brennenbyrne
for most of us, ssl might as well stand
for secure symbol lock
it actually stands for “secure socket layer”
without ssl, everything is public
@brennenbyrne
only do stuff you wouldn’t mind standing on a table
and yelling about in a coffee shop
i.e. no passwords or credit cards
password rot
@brennenbyrne
@brennenbyrne
your password is strongest on the day you set it
@brennenbyrne
your password is strongest on the day you set it
it gets weaker every day after that
more computer power available
more time for attacker to crack
greater chance you’ve reused
@brennenbyrne
passwords pit our memories against
computer brute force — we are going to lose
@brennenbyrne
what to do
@brennenbyrne
@brennenbyrne
one weird trick to protect your site from all attacks
@brennenbyrne
delete it.
use two factor for admin
@brennenbyrne
otherwise
install bruteprotect and cloak
read wordpress security checklistgetclef.com/wordpress-security-checklist
getclef.com/wcmpls2014
getclef.com/wordpress-security-checklist
slides
@brennenbyrne