Do you have trouble remembering all of your passwords? Do you reuse the same ones on different sites?
Most of us commit password security sins, despite the fact that we know we shouldn’t. This is because it just seems too hard to keep up with all of the passwords we’re supposed to remember.
XKCD Password Strength
But what if there was an easier way?
Problems With Passwords
There are a number of problems with passwords:
- Most of us choose bad passwords.
- Passwords are hard to store safely.
- People reuse passwords on multiple sites—if one service stuffs up (because they are hard to store!) and exposes your password, multiple accounts across a number of service can be compromised.
- Passwords can be hard to pass safely.
- The longer you have a password, the less safe it becomes.
- Every password that falls to hackers feeds the botnet monsters, and makes the rest of us less safe.
I recently chatted to Brennen Byrne, CEO of Clef—a 2-factor authentication plugin for WordPress—who explained:
Our memories just won’t compete with computers in the long run. Computers are getting better at cracking them [passwords] a lot faster than we are getting better at remembering them.
Possible Solutions
Okay so if passwords are so risky, what can you do about it?
- Select a strong password.
- Limit password login attempts.
- Learn about Two-Factor Authentication.
- Consider various WordPress-security plugins that are available.
- Consider options for storing and sharing multiple passwords securely.
- Choose your hosting carefully (WP Engine has a team, in partnership with Sucuri, that invests a lot of time and effort to stay ahead of attackers).
“We’re All In This Together”
As recent reports have stated, the problem of hack attempts and general security attacks against WordPress sites is only going to get worse.
And, as explained by Brennen from Clef:
It’s really important for us as a community to think about ways to increase the base level of security. We’re all in this together.
Some people think we should get rid of passwords altogether, and have formed the Petition Against Passwords, whose mission statement begins:
The mission of the Petition Against Passwords is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them. This movement is working on behalf of every person who has ever had their identity stolen, their password leaked, or been confused just trying to remember passwords and PINs for multiple sites. There are better ways to log in online and it is time we had access to them. The Petition Against Passwords is about giving us a voice in the conversation about how our identities are shaped online.
It will be interesting to see whether passwords disappear over the next few years, as we all start to move to alternative security measures.
Either way, it is important that all of us are thinking about our password security for our own sake—as well as for the safety of the WordPress community as a whole.
Have you thought about the security of your passwords lately?
I’m not sure how savvy robot hackers are, but partnered with passwords are usernames, and for WordPress you can find anyone’s username right there in the page source. I was totally surprised when I discovered this last year.
So I’m starting to get clever with my usernames, not just my passwords. But when I accidentally found my WordPress username I had just spent quite a bit of time coming up with, sitting right there in my source code, yikes. It had me questioning the entire username/password thing.
I came here from Google looking for a solution to turn on 2-factor authentication on WPEngine (as a customer). I couldn’t find it as an option in the control panel.
Have you guys thought about the security of your passwords lately? 😉
Hi Greg,
You’re welcome to install any two-factor authentication plugin you’d like. Here’s a list of all the ones that are known to work here:
Google Authenticator for WordPress
Duo Two-Factor Authentication
Launchkey
Clef
Authy Two-Factor Authentication
As for the “security of your passwords” question, we actually install & activate Force Strong Passwords across the farm for our customers.
Hope that helps!
Kirby
I think Gregg is referring to logging into the customer portal to manage your WPE sites. my.wpengine.com. Why don’t you support two factor auth for your customers to login and manage their sites but recommend they enable it for their sites?
I’m also looking for my WP Engine account, logging in at my.wpengine.com, to support 2-factor authentication.
People really need to implement a good password manager. Doing so will allow them to use a strong UNIQUE password for every single site or account they use. Then, if security is ever compromised, it is only one particular spot.
I’ve been using one called PasswordWallet (by Selznick) that has been around since my Palm days, and is available for just about every imaginable platform (and can sync between most or all of them). Since I then have my passwords available at my computer, or even at the grocery store, I can keep even non-online information in it. I’ve also heard good things about the popular 1Password, but have been somewhat unimpressed at it’s lack of features, despite being quite pretty compared to PasswordWallet.
Be sure to keep backups though, as if that file gets corrupted, you wouldn’t want to lose all these accounts, as you won’t be able to guess them. (And by backups, I mean both a regular, on-going backup, AS WELL AS some form of archival where you permanently put away a snapshot of the file from time to time, as backups eventually start over-writing if done with decent regularity.) And, I like that the solutions I mention above aren’t on-line password services, you retain control of the data files.
Another big security concern of mine, is the trend to have a common login source to so many sites, such as Facebook Connect or WordPress login at blogs, etc. I think this is a REALLY bad idea, as it trains users to be phished, by getting them used to putting in their credentials at 3rd party sites. How do you know when some site pops up a dialog asking for your Facebook login, that you’re not just passing your info on to some hackers? (I have an article on this on my blog if anyone is interested.) At least, if you’re going to do this, use something like Disqus which is only used for this purpose, and not associated with a bunch of other crucial information about you.
Thanks for sharing your thoughts and advice Steve.
Kirby
SQRL. ’nuff said.
Yep! – Hopefully, not too long now?…2.5 yrs later! 🙂
But, if it performs like Steve’s other tools that I’ve used, it will be the way to go!
Do you (WP Engine) allow the use of the new Clef WP plugin?
Hi Jack, thanks for your question.
We do allow the use of Clef!
(The list of two-factor authentication plugins that we know to work with WP Engine is here: http://wpengine.com/2014/02/13/problem-passwords/#comment-79705)
– Kirby
Hi…
Good stuff to read.
I though have a problem – it’s all okay when making users to the backend, but when I use WP Engine it seems that costumers in the woocommerce have to use strong passwords too, they are only on the frontend, and their user role is costumer in WP.
Anyway around that?
Hi Johnny,
Thanks for your feedback! Our helpful Support Team can assist you with that WooCommerce question, please submit a ticket, and they’ll take a look for you.
– Kirby
Can we have 2-factor auth (or IP restriction) to login to wpengine.com given how sensitive the information stored in it is?
It’s really a cool and helpful piece of info. I’m satisfied that you
just shared this useful info with us. Please keep us informed like this.
Thanks for sharing.