[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
>> coordinated; the ips used are geographically diverse so probably >> compromised machines. > > Did you check. A lot of abuse we see now is from servers, and my I haven't, actually, you could be right. Y'know, I think I might replace wp-login.php with my own script that'll do some more detailed login and record the passwords used too. >> As before, WP is not insecure, just popular - that they're trying to >> bruteforce the admin account just shows it's the easiest way in rather >> than another exploit > It shows enough people pick poor passwords to justify the effort. The > advantage of the approach is it will work till everyone picks good > passwords, where as any specific vulnerability will work till Wordpress > is upgraded, and the insecure versions are probably already owned. I don't think there are that many insecure versions, and those that do turn up are nearly always plugin related (sometimes poor quality, not peer reviewed to the same standard). But yes, why do the hard work when the easiest vector is a predictable username with full rights and a password that's weak. WP has a nice strength meter when you choose it, but, well, people are people. >> Maybe more ways? > Use a good password? Simple :) > A 22 character random password which is case sensitive and chosen in a > properly random fashion from alphanumerics has about 128 bits of entropy. Theory vs practicality. Almost nobody will use a password like that, and if they were forced to by employers for example, it would be written down and stuck on the monitor and the office cleaner becomes the most powerful person on the payroll. I think a good compromise is a simple pass phrase, including a space or two. "my name is lovely" "you smell of cheese" "my feet are lemons" "giraffes hate mongooses" "my grammar bad is" "pingu is a racist". Not very vulnerable to dictionary, rainbow tables or bruteforce but easily remembered by even the most non-technical person. Fortunately stupid software that limits passwords to low numbers is getting rarer. > Clearly if a password like this is compromised it is because I don't > have an SSL cert on my blog (wireless sniffing), or because my password > manager was compromised, it is unlikely it has being guessed. Yes, but here we've moved into the much much rarer "There's a human at the other end who is determined" scenario which is much harder to defend against rather than the constant and relentless bots. > I like your other advice to, if you can restrict access, then it will > protect you even if the password is compromised by other means (such as > those I mention). But a good password is worth its salt. Agree, and for admins and others who have to keep tabs on a lot of passwords, a password safe or similar is not a bad thing. (There are other methods too - a text file renamed as a binary or system file deep in the fs on a random machine and protected with some user perms is one that doesn't require client software). But I know that striking the balance between secure passwords and giving the users a chance of remembering them does require some compromise. If not, they get frustrated and resentful, and you spend all your time resetting them... I'm also sceptical of the imposed need by some to reset passwords at arbitrary periods. I can see it's useful if it's a low-security pass shared by a lot of people who change now and then (eg, pin numbers to staff door locks etc), but if somebody's kept their password safe for 13 days, why is it assumed it's less safe on the 14th? And studies show that they simply increment the number on the end anyway! > My problem is system passwords, and other passwords not easily managed > by a password manager. Hefting around and managing SSH keys has its own > issues, so I mostly use system passwords that are in my head, and whilst I like "head passwords" too :) -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq