WordPress passwords and brute force

WordPress passwords and brute force

From the man himself:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

SSH dynamic black list

Slashdot runs the post on how bots are now trying higher ports for SSH password guessing.  This is not a problem for those who do key-based authentication, but for those who have to have password authentication enabled, there is plenty of good advice in the comments to the post.  One of the comments provides this handy iptables-based dynamic black list:

iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE

I haven’t tried it out myself yet, but I’m saving it here for the next time I have a server with password-based authentication SSH.

The passwords are officially obsolete

Slashdot is reporting the story:

a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete. In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes

[…]

Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt.

One of my favorite comments to the story:

So now that passwords as a system is officially broken, can we please move on to something better? Something that wasn’t invented to allow soldiers standing watch in the middle of the night to tell their mates from their enemies, but is actually designed for computers?

Solutions?  Well, for remote connectivity, I’ve been using SSH with key-based authentication.  For the websites, Google seems to be leading the 2-way authentication progress, with a combination of password and a one-time code via SMS.  These aren’t perfect, but they seem to be better than just a password.

Microsoft takes password security to the next level

Microsoft takes password security to the next level

I’ve spotted this link somewhere online, and I think this is funny.

Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

The solution is, as always, obtain the latest service pack.

All credit card PIN codes in the world leaked!!!

All credit card PIN codes in the world leaked!!!

The linked document contains all PIN codes for all credit cards from all banks in the world! Just check the numbers and see if your PIN codes are there too.  If they are, urgently request a PIN number change from your bank.  Make sure to change it to one of those that are not in that document.

Passwords are like women

I don’t know if this was posted by someone else somewhere else before (probably it was), but that’s what I came up with yesterday, while explaining our password policy to one of the (male) colleagues.

Passwords are like women:

  • you should have as many of them as you can
  • you should change them as often as you can
  • you should never share them with another man

Judging by reaction, I got the point across.