Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Wordpress.com Security Breach - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wordpress.com Security Breach

Wordpress reported mid last week that they suffered a compromise that involved an attacker getting root access to some of their servers.  They haven't released much in the way of specifics of what has happened but indicate that usernames and passwords could have been compromised for those with accounts with the Wordpress site itself (as distinct from people who simply run Wordpress to power blogs on their on systems).  This, once again, brings to the fore the need of using strong passwords for online sites and for using unique passwords for each site.

The bigger issue, however, is with the multiplicity of online sites and social media, the amount of accounts that individuals needs to maintain is vast.  I counted my own list of accounts and just for the non-professional ones, I have 23 or so logins.  Strong passwords help (particularly if they are over 12 characters) but there becomes the problem of remembering them all.  Combine that with the fact most online sites use the "e-mail address" as the username, there is a big problem.

What mitigates this is deployment of decentralized authentication and OpenID is a good example.  At that point, a user can keep a strong password in one place (and even better, use two-factor authentication) that is trusted.  As far as I can tell, Wordpress.com doesn't allow OpenID to register a blog but can be set up if you maintain your own wordpress installation.  The takeaway is, if you run an interactive online website, investigate using OpenID to register & authorize users.  If you get breached, you no longer have a password that can be stolen to assume someone's online identity.

For users, where you can, use OpenID (or similar) schemes that let you maintain your online identity in one place.  Facebook and twitter have similar features if you don't mind giving those companies the ability to data-mine what sites you interact with. Many sites still need you to create an account with a password before you can switch to OpenID.  In that case, create the account, set up OpenID, then change the password to be strong and long and store it somewhere safe (in the off chance you need the actual password some day).  A malicious individual still could "proxy" off an existing session and do bad things if they already compromised your PC, but you would not have to worry about the mass compromises that have hit Wordpress, Gawker and others recently.

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

John

248 Posts
ISC Handler
It is a mere question of time before OpenID (or similar) are compromised.
KBR

63 Posts Posts
Unfortunately, not all financial websites will accept the same strong password.

One well-known credit card site will not accept special characters in the password (I wrote them but never got a response). Another well-known financial site will not accept passwords with more than ten (10) characters. A third site we use accepts *some* special characters, but not all of them.
KBR
22 Posts Posts
@Techvet
Sounds like American Express to me. Except I recall them limiting it to 8 characters. And no special characters.
KBR
11 Posts Posts
Maybe I am clueless, but I cant understand the point of openid.
I can use the same terrible password at one of openid's "partners" as my openid login.

If I have a poor password for my gmail, yahoo. flickr, etc. account that I use for openid, wouldn't I be in worse shape?
Especially if I use wordpress or rootkit.com or a bank that used Epsilon or was of the other list of mass password/username thefts that we know of?

How does having openid help if they dont enforce a strong password policy and just let me login with my gmail account?
Or - Am I missing something??
If so please let me know - I don't feel like writing my own blog just to get a "real" openid account.

Anonymous
Posts
OpenID would remove the need for you to have password information stored on each web site. If someone cracked a site your credentials would not be exposed.
Anonymous
Posts
@KBR: +1. when openid will be compromised, all your account belong to us.
guly

3 Posts Posts
Strictly speaking "openID" can't be compromised, an OpenID provider, sure. But when you take lots of low value sites who don't care much about security (and don't have to if we're talking blog comments) and compare them against a provider of authentication, you're making hackers have to go against a tougher target. For instance, one OpenID provider is Verisign. If you can 0wn Verisign, all bets are off anyway.

It's an incremental reduction of risk. If you're looking for risk to be 0, it is never going to happen.
John

248 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!