PHP – Password Exposed Helper Function

Password Exposed Helper Function is a tiny PHP library that helps checking user passwords against the Have I Been P0wned website API.

This is quite common new functionality on many websites and services (see GitHub, for example), which is now available as a quick composer dependency for your PHP projects.

Tek Security Group’s Password Repository

Tek Security Group’s Password Repository

In this repository you will find helpful authentication brute forcing files. These files include known password defaults, usernames, common and specialized dictionaries, etc.

WordPress passwords and brute force

WordPress passwords and brute force

From the man himself:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

SSH dynamic black list

Slashdot runs the post on how bots are now trying higher ports for SSH password guessing.  This is not a problem for those who do key-based authentication, but for those who have to have password authentication enabled, there is plenty of good advice in the comments to the post.  One of the comments provides this handy iptables-based dynamic black list:

iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE

I haven’t tried it out myself yet, but I’m saving it here for the next time I have a server with password-based authentication SSH.

The passwords are officially obsolete

Slashdot is reporting the story:

a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete. In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes


Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt.

One of my favorite comments to the story:

So now that passwords as a system is officially broken, can we please move on to something better? Something that wasn’t invented to allow soldiers standing watch in the middle of the night to tell their mates from their enemies, but is actually designed for computers?

Solutions?  Well, for remote connectivity, I’ve been using SSH with key-based authentication.  For the websites, Google seems to be leading the 2-way authentication progress, with a combination of password and a one-time code via SMS.  These aren’t perfect, but they seem to be better than just a password.