Passwords: the weakest link in WordPress security

1,301 views

Published on

Brennen Byrne's talk on passwords at WordCamp Chicago 2014.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,301
On SlideShare
0
From Embeds
0
Number of Embeds
61
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Passwords: the weakest link in WordPress security

  1. 1. passwords the weakest link in wordpress security @brennenbyrne#wcchi
  2. 2. this talk is about security @brennenbyrne#wcchi
  3. 3. a lot of people think security is hard @brennenbyrne#wcchi
  4. 4. a lot of people think security is hard confusing @brennenbyrne#wcchi
  5. 5. a lot of people think security is hard confusing complicated @brennenbyrne#wcchi
  6. 6. a lot of people think security is hard confusing complicated technical impossible frustrating not for you painful infuriating @brennenbyrne#wcchi
  7. 7. but we all know that it’s important @brennenbyrne#wcchi
  8. 8. but we all know that it’s important and my job is to make it easy @brennenbyrne#wcchi
  9. 9. hello, my name is brennen (@brennenbyrne) @brennenbyrne#wcchi
  10. 10. I’m a founder of Clef (getclef.com) @brennenbyrne#wcchi
  11. 11. for the next 30 mins ★ zombie army ★ two step (logins) ★ ssl ★ password rot ★ what you can do @brennenbyrne#wcchi
  12. 12. getclef.com/wcchi2014 getclef.com/wordpress-security-checklist slides @brennenbyrne#wcchi
  13. 13. passwords “The weakest link in the security of anything you do online is your password.” @brennenbyrne —vip.wordpress.com/security #wcchi
  14. 14. heartbleed jetpack http cookies @brennenbyrne#wcchi
  15. 15. it’s time to talk about the zombie army. @brennenbyrne#wcchi
  16. 16. the old way to break a password @brennenbyrne#wcchi
  17. 17. 2. guess common passwords 1. virus that watches you type 3. “advanced interrogation” @brennenbyrne#wcchi
  18. 18. in order to defend myself @brennenbyrne#wcchi
  19. 19. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne#wcchi
  20. 20. but attackers have gotten smarter @brennenbyrne#wcchi
  21. 21. zombie army @brennenbyrne#wcchi
  22. 22. the zombie army is what happens to you when other people download viruses @brennenbyrne#wcchi
  23. 23. their computers become zombies @brennenbyrne#wcchi
  24. 24. sites infect visitors’ computers zombies attack sites visitors join zombie army bigger army attacks more sites @brennenbyrne#wcchi
  25. 25. zombies swarm and attack your site from millions of different computers @brennenbyrne#wcchi
  26. 26. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne#wcchi
  27. 27. the zombie army is attackers’ response to our better defenses as wordpress becomes a better target the incentives for breaking it rise @brennenbyrne#wcchi
  28. 28. two step @brennenbyrne#wcchi
  29. 29. something you @brennenbyrne the steps know #wcchi
  30. 30. something you something you @brennenbyrne the steps know have #wcchi
  31. 31. something you @brennenbyrne the steps know something you have something you are #wcchi
  32. 32. @brennenbyrne the only thing better than one factor of authentication is… two factors #wcchi
  33. 33. the old way of doing this meant: ! 1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers ! (google authenticator) @brennenbyrne#wcchi
  34. 34. @brennenbyrne clef, the plugin i work on, skips the password to make two-factor much easier. #wcchi
  35. 35. ssl @brennenbyrne#wcchi
  36. 36. @brennenbyrne s = safe ss = safe safe ssl = safe safe lock it actually stands for “secure socket layer” #wcchi
  37. 37. @brennenbyrne s = safe ss = safe safe ssl = safe safe lock it actually stands for “secure socket layer” #wcchi
  38. 38. @brennenbyrne s = safe ss = safe safe ssl = safe safe lock *it actually stands for “secure socket layer” #wcchi
  39. 39. @brennenbyrne s = safe ss = safe safe ssl = safe safe lock *it actually stands for “secure socket layer” #wcchi
  40. 40. without ssl, everything is public @brennenbyrne only do stuff you wouldn’t mind standing on a table and yelling about in a coffee shop i.e. no passwords or credit cards #wcchi
  41. 41. password rot @brennenbyrne#wcchi
  42. 42. @brennenbyrne your password is strongest on the day you set it #wcchi
  43. 43. @brennenbyrne your password is strongest on the day you set it it gets weaker every day after that #wcchi
  44. 44. 2. more computer power available 1. more time for attacker to crack 3. greater chance you’ve reused @brennenbyrne#wcchi
  45. 45. passwords pit our memories against computer brute force — we are going to lose @brennenbyrne#wcchi
  46. 46. what to do @brennenbyrne#wcchi
  47. 47. @brennenbyrne one weird trick to protect your site from all attacks #wcchi
  48. 48. @brennenbyrne delete it. #wcchi
  49. 49. use two factor for admin @brennenbyrne otherwise install bruteprotect and cloak read wordpress security checklist getclef.com/wordpress-security-checklist #wcchi
  50. 50. getclef.com/wcchi2014 getclef.com/wordpress-security-checklist slides @brennenbyrne#wcchi

×