There’s no escaping the simple fact that “passwords”, as a means of verification, are here to stay.
In the majority of cases, they’re the sole means of account verification.
If you’ve heard it once, you’ve heard it a million times: use strong passwords!
But “strong” isn’t enough. Here are some recommendations, which I’m sure you’ve heard before.
Passwords must be:
- long – shorter passwords are more easily cracked
- strong – a “suitable” combination of numbers, letters, upper/lower-case, punctuation
- unique
- don’t re-use passwords across different accounts/service
- don’t repeat passwords you’ve already used before
- updated – regularly change your passwords
Unfortunately, this is all a bit much for most people and overwhelm kicks in, resulting in simplistic passwords that rarely get updated.
What’s all the fuss about? Who’s gonna guess my password?
Before we go any further, we must stress the importance of password strength and how you maybe feel that you’re not a target.
You are a target. Every. Single. Day.
Not because you are you, but simply by the fact that you exist.
Automated bots that brute force or crack your passwords don’t care about you, they only care about gaining access. They’re built on the sound premise that the majority of users employ weak passwords.
Your dog’s name isn’t unique. Nor is your date of birth. Your maiden name isn’t special, and your son’s middle name has been chosen by many other people before you and since.
Please, if you get nothing else from this article, and without meaning to strike baseless fear into you, understand that you are a target, and your passwords matter.
You’re Only As Strong As Your Weakest Link
You’ve heard that one before, I’m sure. And for good reason.
You can secure your WordPress site, keep it up-to-date, apply patches, run scans, use CloudFlare and employ all manner of security protocols, but if your administrator passwords are weak, none of it matters.
This not only applies to you, but for every administrator on your site.
And if you’re using shared web hosting, it applies to every administrator on every site that’s sharing the web hosting.
What Is Your Current Password Policy?
Password Complacency is not a great security policy. It will come back to bite you.
This isn’t just about how strong your passwords are, it’s about every user with any access privileges on your sites and resources.
Unfortunately WordPress has no built-in way to enforce password policies.
Does Your Lack Of A Password Policy Align You With The GDPR? No.
Firstly, if you’ve never heard of GDPR, and you don’t know what it is, start here.
The GDPR is a scary word for many people at the moment. But it’s all about enforcing sound security practices alongside robust privacy safeguards.
Something we should be doing already.
Part of the GDPR stipulates that organisations should:
…implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…
We’re currently reviewing our policies and guidelines to ensure we’re compliant with GDPR rules. Part of this is the automated enforcement of password policies across all our WordPress websites and services.
With the Shield Security Password Policies in-place, we can now point to “appropriate measures”. These policies help ensure a high degree of security for user access control.
You’re not in Europe, so GDPR doesn’t apply to you? Not so.
If you or your customers do business with parties in Europe, or with parties that do business in Europe, you (and your customers) may be subject to GDPR compliance.
How so?
No organisation can itself be GDPR compliant, and at the same time have business operations that involve exchange of sensitive data with any other organisation that is not GDPR compliant.
Just to be clear, Shield Security does not “make” you GDPR compliant. But employing appropriate security measures to protect sensitive data plays a role in getting you there.
WordPress Password Policies Available With Shield Security
With the release (v6.6) of Shield Security, we’re providing several important password policy rules.
Passwords are checked at 4 key areas:
- Account Registration
- Forgotten Password Reset
- Profile Update
- Account Login (only applies when the option “Apply To Existing Passwords” is turned on. See below)
Pwned Passwords
We talked about the Pwned Passwords API in a previous article. This option will automatically detect the use of “pwned passwords’ and prevent their use.
Password Strength
The password strength indicator is based upon the now-famous zxcvbn password strength calculator.
Strength labels range from Very Weak -> Very Strong. These labels don’t align exactly with the WordPress password strength meter, so you may see conflicting results when you use this. But if you ever use the default password that WordPress provides when you reset your password, you’ll easily pass on both strength tests.
Of course, “strength” of a password is determined by many factors, and length is only one of those. It all comes down to “how long would it take for someone to crack my password”.
Apply To Existing Passwords
This lets you retrospectively apply your password policies to users and their existing passwords. When a password is found that doesn’t meet your minimum requirements, it’ll force the user to change their password before allowing any other actions.
Note: it can only test the strength of a password after the user next logs in successfully.
Password Expiration
This will force any user to change their password after the expiration period (days). The counter for expiration starts from the next time the user logs in.
How To Get Access To WordPress Password Policies
The feature has the following requirements:
- PHP v7.2+ (more info)
- Shield Security v6.6+
- ShieldPRO is required for all options except ‘Pwned Passwords’
If you have any questions or suggestions about this feature, please do let us know in the comments below.
I’m not a fan of the requirement to generate a strong/very strong password of the type promoted by WordPress etc. because it forces unsophisticated users to rely on and repeat the ‘secure’ password they have used elsewhere.
Humans are not good at remembering secure passwords of the form UziAHlu?C3je or tUmuS74etn&j. This is exacerbated if they are required to change their passwords every 60 days, 90 days, whatever. Inevitably, users will and do re-use their previous small pool of such secure passwords, usually generated around a word, name, number and punctuation combination such as DoctorWho1234! (which WordPress reports as a strong password).
To be clear, the situation is worsened when looking at e-commerce (in our case WooCommerce) sites with traffic because the registered user count goes up dramatically, which means more of these poor, repeated passwords are on the site.
We can of course enforce a policy, but the hit in user experience shouldn’t be underestimated: You’ve gone through to your basket, ready to purchase, you want to, or are forced to, take out an account prior to purchase, and you have to add a password.
Well, if in that password generation exercise one is consistently being mildly reprimanded for the passwords you are putting in, then by the 3rd or 4th try of picking a strong, or worse still, very strong password (it is an e-commerce account after all) you’re pretty frustrated if not annoyed. Oh, and if you are smart and not too distracted you’re writing down the password because there is no way on earth you are going to remember it. In fact, it is guaranteed that you will forget it.
Two months later when you revisit the store you can’t even log in WITH your written down password. If you’re lucky a usually curt, officious notice box is telling you to come up with a new (Aargh! ffs! “very strong”) password and that btw, you can’t re-use the one you had, and it’s kind of your own fault anyway because you haven’t visited in so long.
If you are unlucky, you’ll just be getting a ‘Username or Password is incorrect” notice, try several times and you’ll get caught up in a cooldown sequence, or a lockout, or a “contact support to reenable your account” or, if you get nervous enough about getting locked out with the “You have 2 attempts left” notice you’ll have skipped town to the “reset your password” email trail. Multiply that by thousands of purchasers.
I’d like Shield to develop / adapt to the following:
1) Generate memorable passwords FOR the new user of the form claridge-brook-mercury (which WordPress also reports as a strong password) – I’m aware of the arguments for and against this type of password, but you’ll notice it is _not quite_ a common word password.
2) Show them the password they have been assigned with a ‘copy’ button AND e-mail a time limited (2hr) link to a password viewing/copying page (er, as they are human, so they can copy and paste it, or write it down 😉
3) Give them a button right then and there to login (obvs with the new password prefilled).
4) If policy is that their password is scrubbed for rotation after ‘x’ days, generate a new password for them, send a new email link as at 2) above, explaining that their password has been routinely changed for security.
I’m aware some soltions send a ‘your password is expiring’ email to remind people to login and change to a new one at 4). Let’s all hope they do, or their next visit will be as described above.
BTW, howsecureismypassword result for a computer finding the password?
DoctorWho1234! = 4 hundred billion years
claridge-brook-mercury = 2 hundred quadrillion years
https://www.security.org/how-secure-is-my-password/
By all means keep perfecting ways to improve ‘very strong’ passwords that take no account of the real life experience of using them, but offer us a better alternative than everybody else’s solution of suggesting to many, many unsophisticated users that they should invest in a password manager 😐
As it is, we’re likely to turn off Shield’s password protections and employ a third-party plugin or SAAS solution, specifically because of the user experience provided when we start switching on the options Shield suggest in order to get a 100% score.
There is a similar argument I could raise in a different post related to Shields 2FA, it would be good to see a proper passwordless solution in your mix/options.
And apologies, I hadn’t meant this to be quite so soapbox, I really like the product – but even with that said, this is written.
kind regards,
Philip