Passwords: the weakest link in WordPress security
- 1. p4sSw0rd5: the weakest link in wordpress security @brennenbyrne
- 2. this talk is about security @brennenbyrne
- 3. a lot of people think security is hard @brennenbyrne
- 4. a lot of people think security is hard confusing @brennenbyrne
- 5. a lot of people think security is hard confusing complicated @brennenbyrne
- 6. a lot of people think security is hard confusing complicated technical impossible frustrating not for you painful infuriating @brennenbyrne
- 7. but we all know that it’s important @brennenbyrne
- 8. but we all know that it’s important and my job is to make it easy @brennenbyrne
- 9. hello, my name is brennen (@brennenbyrne) @brennenbyrne
- 10. I’m a founder of Clef (getclef.com) @brennenbyrne
- 11. for the next 30 mins ★ botnets ★ two-factor authentication ★ ssl ★ password rot ★ what you can do @brennenbyrne
- 13. p4sSw0rd5: the weakest link in wordpress security @brennenbyrne
- 14. I don’t mean to scare you — but there is a zombie army coming for your WordPress site. @brennenbyrne
- 15. the old way to break a password @brennenbyrne
- 16. 2. guess common passwords 1. virus that watches you type 3. “advanced interrogation” @brennenbyrne
- 17. in order to defend myself @brennenbyrne
- 18. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne
- 19. but attackers have gotten smarter @brennenbyrne
- 21. botnets are what happens to you when other people download viruses @brennenbyrne
- 23. sites infect visitors’ computers botnets attack sites visitors join botnet bigger botnet attacks more sites @brennenbyrne
- 24. botnets swarm and attack your site from millions of different computers @brennenbyrne
- 25. 2. limit wrong guesses 1. don’t download viruses 3. don’t anger enemy nation-states @brennenbyrne
- 26. botnets are the attackers’ response to our better defenses as wordpress becomes a better target the incentives for breaking it rise @brennenbyrne
- 29. something you something you @brennenbyrne the factors know have
- 30. something you @brennenbyrne the factors know something you have something you are
- 31. @brennenbyrne the only thing better than one factor of authentication is… two factors
- 32. the old way of doing this meant: ! 1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers ! (google authenticator) @brennenbyrne
- 33. @brennenbyrne clef, the plugin i work on, skips the password to make two-factor much easier.
- 35. if you want to learn more about this, go see jesse’s crypto-101 at 3 @brennenbyrne
- 36. @brennenbyrne for most of us, ssl might as well stand for secure symbol lock it actually stands for “secure socket layer”
- 37. without ssl, everything is public @brennenbyrne only do stuff you wouldn’t mind standing on a table and yelling about in a coffee shop i.e. no passwords or credit cards
- 39. @brennenbyrne your password is strongest on the day you set it
- 40. @brennenbyrne your password is strongest on the day you set it it gets weaker every day after that
- 41. 2. more computer power available 1. more time for attacker to crack 3. greater chance you’ve reused @brennenbyrne
- 42. passwords pit our memories against computer brute force — we are going to lose @brennenbyrne
- 44. @brennenbyrne one weird trick to protect your site from all attacks
- 46. use two factor for admin @brennenbyrne otherwise install bruteprotect and cloak read wordpress security checklist getclef.com/wordpress-security-checklist