Comments on: 20f1aeb7819d7858684c898d1e98c1bb

By: Episode 33: WordPress 2.3.2 released, WordPress 2.4 missed and changes to the podcast | PHP Podcasts

Tue, 12 Feb 2008 21:37:44 +0000

[...] algorithm, there’s a plugin to secure your admin pages, Donncha O Caoimh details other ways to secure your blog, and Blog Security’s Whitepaper on securing your blog is [...]

By: David G. Johnson

David G. Johnson — Fri, 28 Dec 2007 04:34:25 +0000

Thanks for raising this topic in such a creative fashion. All someone needs to do is download a brute force utility to see how easy it is to hack their weak passwords. 8 characters should be anyone’s minimum, and those should not be dictionary entries — in any language.

And oh yes… thanks, John, for the “Princess Bride” reference.

By: Pirahna

Pirahna — Wed, 26 Dec 2007 20:38:12 +0000

Well “Anthony” isn’t exactly what i call a secure password.

Try something like “ireallywouldliketoseeAnthonyagain” … that should do the trick.

By: Shanti Braford

Shanti Braford — Sat, 22 Dec 2007 22:41:58 +0000

It’s good to see some work being done in WordPress around this area.

For developers in general, who may not be familiar w/ all the ins and outs of storing user password hashes, salts, etc:

http://onwebapps.com/the-hopefully-somewhat-definitive-article-on-how-to-store-user-password-hashes/

By: Lee

Lee — Thu, 20 Dec 2007 17:37:53 +0000

Maybe a WP plug-in that utilises some of the popular reverse md5 lookup web sites/services:

http://md5.rednoize.com/?xml&q=20f1aeb7819d7858684c898d1e98c1bb

http://gdataonline.com/qkhash.php?mode=xml&hash=20f1aeb7819d7858684c898d1e98c1bb

The results would be used to show the user if their password is “known by hackers”.

By: Tadd

Tadd — Thu, 20 Dec 2007 15:26:03 +0000

I don’t use word passwords. All of my passwords are 12 characters, randomly generated via a program. I then save them on a thumb drive that I have on my person. When I need to log in I have my secured drive. I’m planning on getting one of those thumb drives that use your thumb print as a password to access the information … heck yeah. If for nothing else than for a complete geek factor.

But, it is amazing to me how people still use the ol’ cliche passwords. First names, pet names, middle names, birthdays, god … anyone with any shred of ‘net wisdom will realize that you need at least one number in there to break up the easy guesses.

By: Donncha

Donncha — Thu, 20 Dec 2007 10:29:08 +0000

Lloyd – of course! I should have linked to the trac ticket.

Kae – I was about to try that on the WordPress.com wp_users but it would take ages to execute and probably slow the site down. Phew.

By: Monika's Gedanken

Monika's Gedanken — Thu, 20 Dec 2007 02:02:10 +0000

mein Blog wurde gehackt

der Albtraum jedes Bloggers.
Morgens surfst Du zum Blog und findest fremde Klingeltöne darin oder es geht gar nichts mehr.
Zu 99,99% kam der “ungewünschte Besucher” ganz normal über den Adminaccount, weil das Passwort derart einfach war…

By: John Pozadzides

John Pozadzides — Thu, 20 Dec 2007 01:03:07 +0000

Guys, just a little reminder seeing how I’m constantly writing about this topic. Please don’t use weak passwords! And here is a radio interview I did on the subject.

I just can’t understand how in this day and age people still fall for this. It’s one of the classic blunders behind, ‘Don’t get involved in a land war in Asia’, and ‘Never go up against a Sicilian when DEATH is on the line!’ Muahahahaha.

John

By: Lloyd Budd

Lloyd Budd — Thu, 20 Dec 2007 00:41:46 +0000

Not just Ryan! There is a whole team of people contributing to make WordPress’ hashing and cookies more robust to attack, including the person, Steven J. Murdoch, who was attacked and did such an amazing job of isolating the vector.