Password Protection round x

General

my friend Angie pointed me to this latest twitter status update and I thought it was worth sharing.

It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra ” security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. – http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password

so let’s recap, user creates turnkey websites with backdoor to grab all usernames, emails and passwords then uses the email/password username/password combinations on numerous sites. You can read the daily mail style Techcrunch reaction.

Now remember…

A scary 92% of people use the same password across all websites including their email accounts.

that was based off Venture Skills research that we presented last year, you may remember the post it was imaginatively entitled please stop using the same passwords. Um it would appear people didn’t!!!

While the latest scam hit a big site userbase, literally thousands of sites can be using scripts with backdoors or even deliberately attempting to store usernames and passwords in clear for reuse in hacking attempts. What’s more with “invite your friend” scripts still doing the rounds, people are literally giving away the keys to their gmail, yahoo accounts.


back in 2008 I wrote a post on how easy it was to manipulate the invite your friend scripts with just one line of code turning them from a benign tool to literally a way to drain you dry.

Solving Password problems

While in the perfect world every site would have a unique password this is not going to happen. Therefore you need to organise yourself into creating a series of passwords (with the higher security risk being both unique and non linked) here is some handy hints…

  • Never use the same password for email and bank details (including PayPal)
  • If you struggle with alphanumeric passwords or need to change passwords monthly look at including the date or some representation of the date for better security within the password.
  • If you are required to include a capital letter don’t do it at the start of the password ;)
  • pass phrases tend to be much harder to crack while easier to remember
  • Never use an inviter script that asks for your password to your email account
  • don’t use the same password on that torrent site as your twitter account

Remember if some one accesses your primary email account what information can they get about you?

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)