[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 06/02/13 22:38, Simon Avery wrote: > > coordinated; the ips used are geographically diverse so probably > compromised machines. Did you check. A lot of abuse we see now is from servers, and my suspicion is that these are purchased machines. Purchased with doubtful credit cards perhaps, but at least for some server vendors if they are compromised at that sort of level it suggests negligence. > As before, WP is not insecure, just popular - that they're trying to > bruteforce the admin account just shows it's the easiest way in rather > than another exploit Not necessarily. It shows enough people pick poor passwords to justify the effort. The advantage of the approach is it will work till everyone picks good passwords, where as any specific vulnerability will work till Wordpress is upgraded, and the insecure versions are probably already owned. > Maybe more ways? Use a good password? A 22 character random password which is case sensitive and chosen in a properly random fashion from alphanumerics has about 128 bits of entropy. On average an attacker has to try half the password space to guess that, so 2^127 attempts. At 100 guesses a second we need 2^127Ã(100Ã86400Ã365Ã13000000000) current ages of Universe. to guess. I make that of the order of 10^18 times the current age of the Universe. Count presumes the attacker knows the length of the password, but that is irrelevant because the time to guess a shorter password (say 21 characters is of order 10^11 times the age of the Universe is so much smaller than 10^18 times the age of the Universe that it can be ignore for the purposes at hand ;). Clearly if a password like this is compromised it is because I don't have an SSL cert on my blog (wireless sniffing), or because my password manager was compromised, it is unlikely it has being guessed. The advice on password length is usually based on the assumption the hash can be intercepted at some point, and the original password derived from brute force attacks on the hash. On this basis it is usual to suggest a minimum of 12 characters but that makes some assumptions about the password protocols in use. Since by 12 characters of good random passwords you are going to use a password manager, and it makes no difference once you have a password manager whether it is 12 or 22 pick a length that is long enough. I like your other advice to, if you can restrict access, then it will protect you even if the password is compromised by other means (such as those I mention). But a good password is worth its salt. My problem is system passwords, and other passwords not easily managed by a password manager. Hefting around and managing SSH keys has its own issues, so I mostly use system passwords that are in my head, and whilst some of these are long they are not randomly chosen from all available characters. Some are probably not long enough, although where possible I also restrict access to services so they can't be guessed at. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq