Passwords: the weakest link in WordPress security

573 views

Published on

Brennen Byrne's talk on passwords at WordCamp Minneapolis.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
573
On SlideShare
0
From Embeds
0
Number of Embeds
101
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Passwords: the weakest link in WordPress security

  1. 1. p4sSw0rd5: the weakest link in wordpress security @brennenbyrne
  2. 2. this talk is about security @brennenbyrne
  3. 3. a lot of people think security is hard @brennenbyrne
  4. 4. a lot of people think security is hard confusing @brennenbyrne
  5. 5. a lot of people think security is hard confusing complicated @brennenbyrne
  6. 6. a lot of people think security is hard confusing complicated technical impossible frustrating not for you painful infuriating @brennenbyrne
  7. 7. but we all know that it’s important @brennenbyrne
  8. 8. but we all know that it’s important and my job is to make it easy @brennenbyrne
  9. 9. hello, my name is brennen (@brennenbyrne) @brennenbyrne
  10. 10. I’m a founder of Clef (getclef.com) @brennenbyrne
  11. 11. for the next 30 mins ★ botnets ★ two-factor authentication ★ ssl ★ password rot ★ what you can do @brennenbyrne
  12. 12. getclef.com/wcmpls2014 getclef.com/wordpress-security-checklist slides @brennenbyrne
  13. 13. p4sSw0rd5: the weakest link in wordpress security @brennenbyrne
  14. 14. I don’t mean to scare you — but there is a zombie army coming for your WordPress site. @brennenbyrne
  15. 15. the old way to break a password @brennenbyrne
  16. 16. 2. guess common passwords 1. virus that watches you type 3. “advanced interrogation” @brennenbyrne
  17. 17. in order to defend myself @brennenbyrne
  18. 18. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne
  19. 19. but attackers have gotten smarter @brennenbyrne
  20. 20. botnets @brennenbyrne
  21. 21. botnets are what happens to you when other people download viruses @brennenbyrne
  22. 22. their computers become zombies @brennenbyrne
  23. 23. sites infect visitors’ computers botnets attack sites visitors join botnet bigger botnet attacks more sites @brennenbyrne
  24. 24. botnets swarm and attack your site from millions of different computers @brennenbyrne
  25. 25. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne
  26. 26. botnets are the attackers’ response to our better defenses as wordpress becomes a better target the incentives for breaking it rise @brennenbyrne
  27. 27. two-factor @brennenbyrne
  28. 28. something you @brennenbyrne the factors know
  29. 29. something you something you @brennenbyrne the factors know have
  30. 30. something you @brennenbyrne the factors know something you have something you are
  31. 31. @brennenbyrne the only thing better than one factor of authentication is… two factors
  32. 32. the old way of doing this meant: ! 1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers ! (google authenticator) @brennenbyrne
  33. 33. @brennenbyrne clef, the plugin i work on, skips the password to make two-factor much easier.
  34. 34. ssl @brennenbyrne
  35. 35. if you want to learn more about this, go see jesse’s crypto-101 at 3 @brennenbyrne
  36. 36. @brennenbyrne for most of us, ssl might as well stand for secure symbol lock it actually stands for “secure socket layer”
  37. 37. without ssl, everything is public @brennenbyrne only do stuff you wouldn’t mind standing on a table and yelling about in a coffee shop i.e. no passwords or credit cards
  38. 38. password rot @brennenbyrne
  39. 39. @brennenbyrne your password is strongest on the day you set it
  40. 40. @brennenbyrne your password is strongest on the day you set it it gets weaker every day after that
  41. 41. 2. more computer power available 1. more time for attacker to crack 3. greater chance you’ve reused @brennenbyrne
  42. 42. passwords pit our memories against computer brute force — we are going to lose @brennenbyrne
  43. 43. what to do @brennenbyrne
  44. 44. @brennenbyrne one weird trick to protect your site from all attacks
  45. 45. @brennenbyrne delete it.
  46. 46. use two factor for admin @brennenbyrne otherwise install bruteprotect and cloak read wordpress security checklist getclef.com/wordpress-security-checklist
  47. 47. getclef.com/wcmpls2014 getclef.com/wordpress-security-checklist slides @brennenbyrne

×