passwords the weakest link in wordpress security @brennenbyrne #wcchi
Passwords: the weakest link in WordPress security
Nov 01, 2014
Brennen Byrne's talk on passwords at WordCamp Chicago 2014.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
passwordsthe weakest link in wordpress security
@brennenbyrne#wcchi
this talk is about
security
@brennenbyrne#wcchi
a lot of people think security is
hard
@brennenbyrne#wcchi
a lot of people think security is
hard
confusing
@brennenbyrne#wcchi
a lot of people think security is
hard
confusingcomplicated
@brennenbyrne#wcchi
a lot of people think security is
hard
confusingcomplicated
technical
impossible
frustratingnot for you
painful
infuriating
@brennenbyrne#wcchi
but we all know that it’s
important
@brennenbyrne#wcchi
but we all know that it’s
important
and my job is to make it
easy
@brennenbyrne#wcchi
hello, my name is brennen (@brennenbyrne)
@brennenbyrne#wcchi
I’m a founder of Clef (getclef.com)
@brennenbyrne#wcchi
for the next 30 mins
★ zombie army
★ two step (logins)
★ ssl
★password rot
★what you can do
@brennenbyrne#wcchi
getclef.com/wcchi2014
getclef.com/wordpress-security-checklist
slides
@brennenbyrne#wcchi
passwords“The weakest link in the security of anything
you do online is your password.”
@brennenbyrne
—vip.wordpress.com/security
#wcchi
heartbleed jetpack
http cookies
@brennenbyrne#wcchi
it’s time to talk about the zombie
army.
@brennenbyrne#wcchi
the old way to break a password
@brennenbyrne#wcchi
2. guess common passwords
1. virus that watches you type
3. “advanced interrogation”
@brennenbyrne#wcchi
in order to defend myself
@brennenbyrne#wcchi
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne#wcchi
but attackers have gotten smarter
@brennenbyrne#wcchi
zombie army
@brennenbyrne#wcchi
the zombie army is what happens to you when other people download viruses
@brennenbyrne#wcchi
their computers become
zombies
@brennenbyrne#wcchi
sites infect visitors’ computers
zombies attack sites
visitors join zombie army
bigger army attacks more sites
@brennenbyrne#wcchi
zombies swarm and attack your site from millions of different computers
@brennenbyrne#wcchi
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne#wcchi
the zombie army is attackers’ response to our better defenses
as wordpress becomes a better target the incentives for breaking it rise
@brennenbyrne#wcchi
two step
@brennenbyrne#wcchi
something you
@brennenbyrne
the steps
know
#wcchi
something you
something you
@brennenbyrne
the steps
know
have
#wcchi
something you
@brennenbyrne
the steps
know
something you have
something you are
#wcchi
@brennenbyrne
the only thing better than one factor of authentication is…
two factors
#wcchi
the old way of doing this meant: !
1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !
(google authenticator)
@brennenbyrne#wcchi
@brennenbyrne
clef, the plugin i work on, skips the password to make two-factor much easier.
#wcchi
ssl
@brennenbyrne#wcchi
@brennenbyrne
s = safe ss = safe safe
ssl = safe safe lock
it actually stands for “secure socket layer”
#wcchi
@brennenbyrne
s = safe ss = safe safe
ssl = safe safe lock
it actually stands for “secure socket layer”
#wcchi
@brennenbyrne
s = safe ss = safe safe
ssl = safe safe lock
*it actually stands for “secure socket layer”
#wcchi
@brennenbyrne
s = safe ss = safe safe
ssl = safe safe lock
*it actually stands for “secure socket layer”
#wcchi
without ssl, everything is public
@brennenbyrne
only do stuff you wouldn’t mind standing on a table
and yelling about in a coffee shop
i.e. no passwords or credit cards
#wcchi
password rot
@brennenbyrne#wcchi
@brennenbyrne
your password is strongest on the day you set it
#wcchi
@brennenbyrne
your password is strongest on the day you set it
it gets weaker every day after that
#wcchi
2. more computer power available
1. more time for attacker to crack
3. greater chance you’ve reused
@brennenbyrne#wcchi
passwords pit our memories against
computer brute force — we are going to lose
@brennenbyrne#wcchi
what to do
@brennenbyrne#wcchi
@brennenbyrne
one weird trick to protect your site from all attacks
#wcchi
@brennenbyrne
delete it.
#wcchi
use two factor for admin
@brennenbyrne
otherwise
install bruteprotect and cloak
read wordpress security checklistgetclef.com/wordpress-security-checklist
#wcchi
getclef.com/wcchi2014
getclef.com/wordpress-security-checklist
slides
@brennenbyrne#wcchi
Related Documents
