What is the significance of “20f1aeb7819d7858684c898d1e98c1bb”? It’s the MD5 hash of the name “Anthony” and was the password used by someone who broke into lightbluetouchpaper.org. Searching for the md5 hash was clever, but it won’t work for long because Ryan is working on securing the WordPress cookies and passwords.
In case you’re wondering, the hacker got in because the blog was running an outdated version of WordPress.
Tips to help keep your blog safe:
- Keep all your software updated, not just WordPress. Make sure your plugins are updated.
- Use a strong password. Don’t use words or sequences of characters like “12345” as your password. Make it a mix of characters and numbers.
- Don’t ever store your database dump online in a place Google will index it. It is very easy to use a Google search to find it.
- If you use public WiFi or a net cafe regularly, use SSL to secure the communication with your blog. Use the secure admin plugin for just this purpose.
- If you use Firefox, install PwdHash. It’s simple to use and works really well.
WordPress MU admins – Fire up phpmyadmin and look at wp_users. Try these sql queries to find weak passwords in your database:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘wordpress’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘12345’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘qwerty’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘anthony’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘Anthony’);
and because of the season:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘christmas’);
Scary isn’t it how many people still use simple passwords? I must release that “Strong password” plugin we use on WordPress.com soon. That will certainly help avoid account hijacking.
Timely warning. I have a question, though. I have my WP backups emailed to me daily at my Gmail account.
Does that violate your third suggestion?
Thanks
Jeremy – I don’t think so. The general public can’t search our gmail inboxes, at least yet, so your backups should be safe!
I really can’t understand how someone can choose his password to be 12345.
I am a webmaster for long, had several websites where I could simply see users passwords in the db. To my surprise, 30% are having as password their birth date, 30% their name or girlfriend name. Only about 5-10% are really having strong passwords.
Thanks for providing this tips.
Nominated to http://TodayNominated.com listings
Congrats
But e-mail is NOT a safe way of communication.
Sam – maybe he has them encrypted with PGP?
and for /very/ weak passwords:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(user_login);
(I just tried that on my own and found one!)
I’m curious. In one sentence, you state that Ryan is working on securing this, then in the very next sentence, you state that the break-in occurred because of an outdated version of WordPress.
If that was the case, why is Ryan working on it?
I understand the necessity of down-playing a vulnerability, but if it’s a problem then it should be stated as such. Either it needs to be addressed in a future version, or you need to update because the problem exists only in older versions. It can’t really be both.
thanks,
json
Not sure Secure Admin works with 2.3… I know admin ssl seems to work, a fork of Secure Admin.
Yup, can’t wait until the update, but I keep all of my stuff up to date for this reason exactly.
@json: Perhaps they’re moving to a salted hash which would make it MUCH harder to guess the password without knowing the salt?
Confused by Salted Hash: http://www.aspheute.com/english/20040105.asp explains it pretty well.
Json – I should have explained that better. A recent reported “vulnerability” was that passwords were only stored as md5 hashes. For the most part I think that’s fine, but it could be better, and that’s what Ryan is working on.
Read his post, makes for interesting reading and makes password handling in WordPress a lot more flexible!
md5 hash is just fine BUT NOT without salting it (e.g. with username or date/time of first login). i mean… really…
more info: http://aspnet.4guysfromrolla.com/articles/112002-1.aspx (just so i don’t have to explain it here lol)
have fun 😉
Scarily, I’ve used systems that prohibit passwords from containing certain characters, for example passwords that must be alphanumeric and must not contain any other type of character, that insist on comparing them in a case insensitive manner and that insist on them being changed every 28 days or so.
People not only need to be much more careful when choosing passwords, but also need to look at the larger picture when designing systems that require a log-in.
And yes, I can’t believe I felt the need to say all this!
maybe we should integrate open id
*Poke Poke*
Password Strength Meter patch
There seem to be several different patches relating to password strength and security, they just don’t seem to get committed.
Considering how many sites there on on the net now that will run through their database to compare a hash with known hashs, +1 for salting it or md5’ing the md5.
So… what do you recommend we do after editing hundreds of passwords 🙂
They’ll just get a new one and then reset it to an older version.
Forcing, through WP, 6 digits including a letter, number and a punctuation mark, would be a better approach…
People choose stuff that is easy to remember. Things like s4f68g54 are not easy, and thus are not often chosen. The software needs a plugin to enforce password strength, the downside is that many users will walk away when they have to thnk about it.
Not just Ryan! There is a whole team of people contributing to make WordPress’ hashing and cookies more robust to attack, including the person, Steven J. Murdoch, who was attacked and did such an amazing job of isolating the vector.
Guys, just a little reminder seeing how I’m constantly writing about this topic. Please don’t use weak passwords! And here is a radio interview I did on the subject.
I just can’t understand how in this day and age people still fall for this. It’s one of the classic blunders behind, ‘Don’t get involved in a land war in Asia’, and ‘Never go up against a Sicilian when DEATH is on the line!’ Muahahahaha.
John
Lloyd – of course! I should have linked to the trac ticket.
Kae – I was about to try that on the WordPress.com wp_users but it would take ages to execute and probably slow the site down. Phew.
I don’t use word passwords. All of my passwords are 12 characters, randomly generated via a program. I then save them on a thumb drive that I have on my person. When I need to log in I have my secured drive. I’m planning on getting one of those thumb drives that use your thumb print as a password to access the information … heck yeah. If for nothing else than for a complete geek factor.
But, it is amazing to me how people still use the ol’ cliche passwords. First names, pet names, middle names, birthdays, god … anyone with any shred of ‘net wisdom will realize that you need at least one number in there to break up the easy guesses.
Maybe a WP plug-in that utilises some of the popular reverse md5 lookup web sites/services:
http://md5.rednoize.com/?xml&q=20f1aeb7819d7858684c898d1e98c1bb
http://gdataonline.com/qkhash.php?mode=xml&hash=20f1aeb7819d7858684c898d1e98c1bb
The results would be used to show the user if their password is “known by hackers”.
It’s good to see some work being done in WordPress around this area.
For developers in general, who may not be familiar w/ all the ins and outs of storing user password hashes, salts, etc:
http://onwebapps.com/the-hopefully-somewhat-definitive-article-on-how-to-store-user-password-hashes/
Well “Anthony” isn’t exactly what i call a secure password.
Try something like “ireallywouldliketoseeAnthonyagain” … that should do the trick.
Thanks for raising this topic in such a creative fashion. All someone needs to do is download a brute force utility to see how easy it is to hack their weak passwords. 8 characters should be anyone’s minimum, and those should not be dictionary entries — in any language.
And oh yes… thanks, John, for the “Princess Bride” reference.