Benjamin: Thank you for joining us for a special lunchtime conversation on security. I’m joined by Aaron Campbell who is the lead developer for the iThemes Security (Pro) plugin. Today our focus is going to be on password security.
Aaron: Glad to be here. I was asked to give a quick background intro on me so that everyone knows where I come from and who you are talking to. I’m Aaron Campbell and I’ve been working with WordPress since about 2005. Not quite from the beginning but from before it hit 2.0. And I’ve been contributing to WordPress core since 2007. Now I’m a core committer on the project and I’m on the core security team as well.
Along the way, I’ve worked with a lot of clients before coming over to iThemes. I did client work as a freelancer and then as a small company working with clients from Opera to Disney to Google. Along the way, I picked up a lot of information from their security practices and things we had to work within as a development agency. So that’s where my background in security comes from. Everything from clients like that to WordPress core and now as the lead dev for iThemes Security.
Benjamin: Let’s start this thing off with maybe just a general question. Why is security important when all we’re doing is using WordPress and publishing posts?
Aaron: Now you know that’s a good one that I actually get asked a lot. What does it matter? Who’s targeting me? Why do I need so much security? And the truth is there are two basic kinds of attacks out there.
There are definitely the targeted attacks that people think about where somebody has targeted a specific site, usually either a big one or something very politically-driven, but usually, it’s money-driven. It’s a site that processes a lot of credit cards or has a lot of private information on it and they specifically go after that and actively attack it.
But there’s a whole other type of attack, and it happens very consistently. Automated attacks where somebody has written software that is made just to go around and break into as many sites as possible using whatever means are at their disposal, whether it’s Brute Force, whether it’s password list, or already known vulnerabilities for out-of-date software.
Those kinds of things happen indiscriminately to every site on the web if your site has been on the web for more than a few weeks. It’s probably gotten at least some low-level volume of this and the purpose for this is much more mundane. A lot of times it’s to put ads on your site, possibly even ones that are only visible from search engines or something like that to try to make some money or possibly just to be able to use your server in a bigger attack that is more directed at acts for future use.
They’re just basically stealing your resources which can run up your hosting costs and can get you kicked off of a host because you look like a bad site even though it really wasn’t you.
Benjamin: The danger is out there and I think everybody has probably already seen the articles with Mark Zuckerberg, the founder of Facebook, having a number of his Social accounts hacked because he used the same password for all of his social accounts.
So I guess that leads into what we really wanted to talk today and that’s what makes a strong password?
Aaron: Passwords are your first layer of security, so the sooner we can stop someone the better. The more technical answer to what makes a strong password is if we measure that using something called entropy or bits of entropy.
Longer passwords are more intricate passwords that use more characters like uppercase and lowercase letters, numbers, symbols. Those all increase your entropy from a more general perspective that again you as a user, entropy is not only a very technical way of looking at it but it’s also not the whole picture. Dictionary words may add links but they don’t have near as much entropy as you might think. Personal information such as the year you graduated is not a great number to use. Your birthday is also not a good number to use. Even though that’s technically adding a number to your password, it’s not increasing security near as much as adding some random information. So, what really makes a strong password is long, random and not used in multiple places. That’s kind of the three big ones to look for
Benjamin: So each random character we add to a password is going to make it that much more secure.
Aaron: Yeah, when you’re looking at what a lot of people think of as the most common attack, which is not necessarily the most common attack but it’s very common in a Brute Force attack were computers are literally trying AAA and then eventually AAB ABA until they click through and find your password. With that kind of attack, which is very common, every character dramatically increases the number of tries that it takes. As you get further down the line, adding a 12th and 13th character obviously had so many more cycles than adding a second or third character. Every single character not only adds interview but adds more entropy that you were adding with any of the previous characters. Longer is definitely better.
Benjamin: Just popped up in the question because we are talking about passwords and you had mentioned something about Brute Force to prevent hackers’ attempt to try over and over and over again and so why hasn’t WordPress implemented something like Brute Force? I need a plugin to take care of that for WordPress.
Aaron: Brute Force, unfortunately, is not as easy to stop people largely because hackers have gotten much more sophisticated over the last few years. When we gather data to guide the development process, we look at things like Brute Force attacks and it’s no longer true that a single computer is trying a million passwords until it hits the one that works. A single computer is actually more capable of doing that today than ever before because we’re only getting more and more power in our PCs. It’s just not the way they do it. They make it much more difficult to track down. They try one or two passwords from one computer and then one or two from another and one or two from another using thousands upon thousands of computers or servers or websites that they’ve packed before they use these broad Networks to do these attacks and so it’s much more difficult to detect them.
Benjamin: Getting back to WordPress and passwords – I know people have been curious in the past. How does WordPress store the password especially if I have a large membership site and they’re all subscribers on my WordPress site? How do I know that everything is secure like if somebody gets access to my site, can I see everybody’s passwords?
Aaron: First of all, definitely not. They can’t see everybody’s passwords on the technical phrase for WordPress storage password if they stored it as a salted hash. What that really means is that the password is encrypted but it’s passing as a special type of encryption. For example, if I were to give you a whole list of numbers and you were to add them all together and store the total you couldn’t use that total to backtrack and figure out what numbers I had originally given you because addition just doesn’t work that way. You could come up with a set of numbers that could get you to the total but you wouldn’t know for sure that was my set of numbers. Hashing is kind of similar to that. The salt is important as well. Basically, a salt is a long random string of characters that’s unique to your site and the purpose for that is that you can’t just create a hash table. A hash table, where you’re taking a ton of passwords, possibly even using something like a Brute Force algorithm and you have them all and now when you do hack into somebody you can simply cross reference the hash back to the password. But you can’t do that because your hatches are all unique to your site and if I use the same password on your site and my site that has the authority and WordPress wouldn’t be the same because our thoughts are different. This helps silo things to a single WordPress install because obviously I’m poor when there’s hundreds of millions of WordPress installs out there.
Benjamin: So with the passwords being hashed and encrypted like that, is that why when I go to click on “I forgot my password” WordPress only sends me a link? It doesn’t actually send me my password because it technically doesn’t know it? Is that a good way to say it?
Aaron: Yes. Yeah, I mean that’s definitely part of the reason for that email. WordPress, even the admins on the site, can never get the password back for you which is actually good. Any site that when you request or say you forgot your password and they just send you your password, they are doing something wrong. Passwords should never be stored in a way that it can be unencrypted and restored back to a functioning password. That is bad practice. WordPress doesn’t do that so it can’t send you the password. What it does is verifies your identity by sending you an email. Figuring that if you have access to your email you must be you and then you can use that to set a new password that you can hopefully remember or store in a password manager.
Benjamin: We will get to the password managers in just a moment but a question that pops up periodically is that someone generates or gets a really strong, super strong password. Maybe we’re saying it’s 32 characters, really long and they’ve personally memorized it. And they say this is a secure password and I use it everywhere because how in the world is anyone going to guess that. Am I still safe if I have a super secure password I use everywhere?
Aaron: Definitely not! The problem with using a password everywhere is that you are expanding the chances of someone being able to figure out that password, possibly not through brute force. If you use the password at a lot of places and you use it on something that is not very important, let’s say like some game site you are addicted to, Bejeweled or something, and you log in from your local coffee shop wifi. The problem is that someone could be snooping in and snag your password that way. Through public wifi, public computers, it is far worse if you are logging into a site that doesn’t have SSL. And if somebody can get your password through any number attacks, a man in the middle attack is a common one where they are basically taking data somewhere along the route between you and the site that you are sending it to. That’s bad, but if they steal your Bejeweled password and they mess up your high score, not such a big deal. But if they steal your Bejeweled password and they use it to log into your bank account and empty your bank or log into your business website and deface your website, that’s much more severe. So, you don’t want to use the same password everywhere because it is simply a matter of escalation. If that does get hacked, how much damage can they cause. If it’s in a hundred places they can cause some varying levels of damage in a hundred different places. And you don’t want that.
Benjamin: Kerry in the chat room has a follow-up on that and I know this is a concern for a lot of people I talk to… How dangerous is it to use Free Wifi? Are there things we should be doing when we login to a wifi cafe or something?
Aaron: You know, free wifi is a little scary. There are things that can make it a little less so. Getting SSL on your sites, only using sites that have SSL when you are on free wifi is a big step in the right direction. SSL encrypts data at your browser and then unencrypts it at the website. So when that data is going through that free public system that you have no control over, it is encrypted. It’s not perfect but it is drastically better than if you are using a site that doesn’t have SSL. And now with things available like Let’s Encrypt, where you may be able to get your hands on free SSL certificate if your host supports it, and the cost of SSL certificates being so low even if you do need to buy one. It is absolutely important that you do that and then only use those sites on public wifi. You can also do things like set up a VPN that you use when you are on public wifi, which is kinds of a way encrypting data between you and some other source that then relays that data to wherever you are trying to send it. The other thing is open wifi vs wifi with a password. Even if they are freely giving the password out to everyone at the coffee shop, maybe they’ve got it posted on the wall, the fact that it takes a password to get on the wifi is better. The sniffers that try to snoop your traffic is much more difficult on those types of networks.
Benjamin: So make sure you tell Ronald McDonald that you want a password. So I guess this is also getting into password managers. Okay, so I’m taking all this to heart and I’m never going use one password on more than one site, I’m going to make them random. But if I have a single application that is storing all these passwords… am I putting myself into a single-point of failure if someone can hack LastPass or something?
Aaron: So, a lot of people worry about if LastPass gets hacked. By the way, LastPass is what I personally use. Obviously, I think they are trustworthy. I have all my passwords stored in there. The way that LastPass stores things is incredibly secure. As I setup LastPass, even now as I go into my settings. I can change the way that all my passwords are encrypted on their end. Which means that I have some of that control… not just them. Their encryption is based on information provided by me which includes my password. They are storing them correctly so they can’t get their hands on them, which is good. They use what’s called multi-pass encryption. I get to control the number of passes that are used. So basically everyone’s data is extremely heavily encrypted there. Every single user’s data is encrypted slightly differently using different keys, different number of passes, possibly different algorithms. Which means that if LastPass were to get hacked, and all that data be made available, it is highly unlikely that there is going to be actual passwords getting pulled out of that. Especially not in any kind of volume. And one of the things that LastPass and some of the alternatives have done is to make it easy for you to go through and update your passwords in lots of places. In fact, many of the sites that LastPass just understands and knows about, I can have LastPass alter my password on a site without me having to go to it. It can do large groups of sites and go through and update my passwords, so if they were to ever have some sort of critical failure, you could go through and update hundreds and hundreds of passwords in a much shorter period of time. I’m not going to say that you can do it in seconds or anything like that. But it would save you a ton of time in updating all of those.
Benjamin: One of the other things I was going to say about password managers, I’ve used LastPass, I think I’ve used them all, right now I use Dashlane. But one thing I know that they all do is that they monitor for security breaches on certain sites. They may say that all the LinkedIn passwords are possibly hacked, so you will get an alert in your password manager letting you know that it is time to change that password. Maybe even giving you a one-click button and it will go change it for you with some random character-generated password.
Aaron: They are also great tattle tales. LastPass will alert me anytime that it sees that I’m using a duplicate password on multiple sites. And I love that even though I see it pretty regularly because I do actually use certain standard passwords on my local development sites. Other people can’t access them anyway and they don’t contain anything that I care about so to me that’s acceptable. But I like that it complains about that and warns me of that because we all have the tendency to get lazy. And laziness is when you are going to find yourself falling prey to one of these tacts. So I like that it’s constantly prompting me to stop being lazy.
Benjamin: I think they also have special scores that you can feel good about yourself.