In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are shining the spotlight on the Password Requirements feature in iThemes Security Pro, which is a great tool to secure your WordPress login.
Why We Developed Password Requirements
We know how hard it can be to get people to follow security best practices. A strong password is an essential part of your WordPress login security. Let’s talk about some of the common password pitfalls that can put your website at risk.
1. Weak passwords are still too common.
In a list compiled by Splash Data, the most common password included in all data dumps was 123456. A data dump is a hacked database filled with user passwords dumped somewhere on the internet. Can you imagine how many people on your website are using a weak password if 123456 is the most common password in data dumps?
2. The WordPress login is the most attacked part of your website.
The WordPress login is the most attacked part of a WordPress website, and using a weak password is like trying to lock your front door with a piece of tape. By default, the WordPress login URL is the same for every WordPress site, and it doesn’t require any special permissions to access. That’s why the WordPress login page is the most attacked—and potentially vulnerable—part of any WordPress site.
3. An 8-character password can be cracked INSTANTLY.
It has never taken long for a hacker to brute force their way past a weak password into a website. Now that hackers are leveraging computer graphics cards in their attacks, the time it takes to crack a password has never been lower.
For example, let’s take a look at a chart created by Terahash, a high-performance password-cracking company. Their chart shows the time it takes to crack a password using a hashstack cluster of 448x RTX 2080s.
By default, WordPress uses MD5 to hash user passwords stored in the WP database. So, according to this chart, Terahash could crack an 8 character password … almost instantly. That is not only super impressive but is also really scary.
4. Too many people are reusing compromised passwords.
Another thing to keep in mind when it comes to password security is that you need a different strong password for each of your online accounts. If you use the same password for every site and one of those sites is compromised, you are now using a compromised password on every website. Hackers can use data dumps of compromised passwords paired with your email address or username to gain access to your accounts. It’s best not to even take the risk.
Even though 91% of people know reusing passwords is poor practice, 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that they know have appeared in a database dump.
Hackers use a form of a brute force attacked called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords that have appeared in database dumps. The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. That is billion with a b. That kind of score will really help a dictionary attack narrow the most commonly used WordPress passwords.
As you can see, having a password policy is an essential part of our WordPress security strategy. However great your password policy is, it isn’t worth anything if your administrator and editors aren’t following the guidelines.
What Are Password Requirements in iThemes Security Pro?
The Password Requirement feature in iThemes Security Pro is not only your password policy, but it is also your enforcement tool. You can force members of a user group to use a strong password, choose a time of password expiration, refuse compromised passwords, and force a site-wide passwords change to make everyone comply with your new strong password policy.
- Force Strong Passwords – Force a set of users to use a strong password.
- Password Expiration – Set the maximum number of days a password can be used before it is expired.
- Refuse Compromised Passwords – Force users to use passwords that have not appeared in any password breaches tracked by Have I Been Pwned.
- Force Password Change – Force all users to change their password upon their next login.
According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that 81% of hacking-related breaches leveraged either stolen or weak passwords. The iThemes Security Pro Password requirements will help secure your WordPress login against all the password pitfalls mentioned in this post.
Plus, you get the added bonus of enforcing your password policy with a click of a button. As humans, we are hardwired to take the path of least resistance. By removing the option to use weak or compromised passwords, you are helping everyone protect their accounts.
How to Use Passwords Requirements in iThemes Security Pro
To get started with your new password policy, enable Password Requirements on the main page of the security settings. Then click the Configure Settings button to fine-tune the Password Requirements option.
Now that we are in the Password Requirements settings click the Enabled checkboxes for Strong Passwords and Password Expiration. Then select appropriate User Groups for each setting. By default, the maximum age of a password is set to 120 days.
One quick note on password expiration, there are some people in the security community that think we should abandon the password expiration policy. They say that If you are using a unique and strong password, that no amount of time will make your password weaker.
Now it is time to enable the Refuse Compromised Passwords option at the bottom of the Password Requirements settings. I would recommend enabling this for all the users on your website. It is completely understandable and encouraged to make creating a new customer account as easy as possible. However, your customer may not know that the password they are using has been found in a data dump. You would be doing your customer a great service by alerting them to the fact that the password they are using has been compromised. If they are using that password everywhere, you could save them from some major headaches down the road.
Click the Save Settings button after you have your website’s password requirements configured to your liking. And finally, click the Force Password Change button to force all of your users to create a password the next time they login that complies with your new password policy.
Your WordPress login is the most attacked part of your website, and a strong password is your first line of defense. The Password Requirements feature in iThemes Security Pro makes it easy for you to create and enforce a password policy to secure and protect your WordPress login.