Wordpress Security » User Accounts & Passwords

Managing Passwords with Software

David Turnbull — Sun, 04 Oct 2009 13:02:14 +0000

Having to remember complex passwords is the reason that so many people choose ones that can be easily guessed. Luckily, this problem was identified some time ago and since then developers have worked on password management software. These applications aim to take the work out of managing passwords.

They work by generating complex passwords for you and saving them in a central database on your computer. When you want to login to a website, instead of manually typing out your details you simply click a button and the software logs in for you.

Best Password Management Software

1Password can create strong, unique passwords for you, remember them, and restore them, all directly in your web browser.
RoboForm is the top-rated password manager and web form filler that completely automates password entering and form filling. RoboForm password manager saves online passwords, fills login forms with saved data, automatically logs you into a web site, allows you to view and edit passwords. RoboForm form filler fills long registration and checkout forms. RoboForm also provides Password Generator, and it encrypts password-protected info using AES thus making password management absolutely secure. RoboForm is absolutely free for personal use, it contains no spyware and no adware.
LastPass is a free online password manager and Form Filler that makes your web browsing easier and more secure. LastPass supports IE and Firefox as Plugins (Opera, Safari, Chrome, iPhone, Opera Mini via Bookmarklets), allows you to import from every major password storage vendor and export too, captures passwords that other managers won’t including many AJAX forms, and allows you to make strong passwords easily. Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it.

You might also want to read...

Use an Account with Limited Access

David Turnbull — Sun, 04 Oct 2009 12:00:20 +0000

Wordpress has fairly comprehensive user permission management. It’s quite simple to create users that can only publish posts. And why does that matter? Because it’s a fantastic way to prevent hackers from getting any real control over your blog.

Most Wordpress users will have a single user account, and that account will be the administrative account, therefore having full access to do everything. The problem with this is if that account is compromised a whole bunch of nasty things can be done to your blog.

Create a separate user account that only has permissions to perform basic blogging tasks (publish posts, delete posts etc) and start using this account to update your blog. If you ever succumb to a phishing attack or some other method to steal your password, the intruder will end up with this limited access account which can’t do much in the first place, and then can easily be deleted (any posts assigned to the user can be re-assigned to another user).

If you’re blogging from public computers or an application needs your username and password (such as a desktop blogging tool) then using a limited access account will give you the peace of mind that no significant damage can be done if the account is ever compromised.

You might also want to read...

Delete the Default Administrator

David Turnbull — Sun, 04 Oct 2009 11:57:16 +0000

When you install Wordpress the default administrator is given the predictable username of admin. This appears harmless but is a huge security flaw. Why?

Well, one way to gain unauthorized access to a system is through brute force cracking. This works by using a program to automatically guess possibly millions of different username and passwords combinations over and over.

Using the admin username basically speeds up the process for brute forcers because it’s just one less thing they have to figure out. In reality you should think of your Wordpress username as a second password, and therefore follow similar rules to that of strong passwords:

Don’t tell people your username.
Don’t choose an obvious username (like your real name).
Use a mixture of numbers and letters.

Hide your True Username

By default the username you login with is the name that is publicly displayed with your posts. You need to change this to keep it hidden:

Go to the “Your Profile” page.
Find the field labelled “Display your name publicly as”.
Change this to something other than the username you log in with.

How to Delete the ‘admin’ User

Your Wordpress installation cannot be without an administrator. This means you need to create a new administrator before you can delete the default one. And here’s how to do exactly that:

Login to the Wordpress administration area.
Click on the “Add New User” link under the “Users” menu.
Fill out all the necessary details, and choose a username in the same way you would choose a password. Make it complex and hard to guess.
Set the “Role” to “Administrator”.
Click on the “Add User” button.
Logout.
Login with the newly created account.
On the “Authors & Users” page you’ll now have the ability to delete the original admin user.
Click on the “Delete” link next to that user and you’ll be given the ability to assign all previously written posts to the new admin.
Confirm the deletion.

You might also want to read...

Strong Passwords

David Turnbull — Sun, 04 Oct 2009 11:54:21 +0000

Passwords are the age-old, tried and true security tool for accounts of all sorts. And, if people followed the constantly recommended advice there’d be far less security concerns in the world.

Everyone thinks “Oh, no hacker would ever guess that my password is password1234”. But they will, and once that happens they’ll eat your children too*. So think about that next time you don’t put any thought into a password.

*It is improbable that hackers will actually eat your children.

How to Create Strong Passwords

Make it longer. Every character your password has is another exponential amount of combinations a hacker has to guess so make your password as long as possible.
Randomise . Don’t try to be clever with your passwords so they have some meaning allowing you to remember them: that’s a vulnerability. Either mash the keyboard furiously to create your passwords or, better yet use a site like strongpasswordgenerator.com to do the hard work for you.
Use numbers, letters and symbols. Slip a couple of numbers and symbols into your password and it becomes infinitely more powerful.
Change them regularly. Keep ‘em guessing.