Admins know it’s key that WordPress users have secure passwords to keep web security watertight. But do you know if your WordPress users are accessing your CMS with insecure ‘pwned’ passwords? And do you know the risk?
What is a pwned password?
Pwned passwords are over seven billion real-world passwords that have been exposed in data breaches. This exposure makes them unsuitable for use as they’re at much greater risk of being used to take over other accounts. They’re searchable online at the Have I Been Pwneddatabase.
What’s the risk?
People using pwned passwords can pose a serious risk to your cybersecurity. When hackers undertake a brute force attack – using passwords to take personal information or spend users’ hard earned money through your site – it’s usually the site owner/developer who gets the blame.
The National Institute of Standards and Technology has issued guidelines for federal agencies implementing digital identity services, which state:
When processing requests to establish and change memorised secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example…
* Passwords obtained from previous breach corpuses
If federal agencies are doing it, we recommend you do too.
How do I check our WordPress site isn’t using any pwned passwords?
To help reduce such incidents, we have created a WordPress plugin to prevent users of WordPress and WooCommerce from reusing passwords listed in the haveibeenpwned.com database.
Explain how it works like I’m five
How to forbid WordPress users to use pwned passwords?
If the new password is found in the haveibeenpwned.com database, the plugin rejects the change.
How to prevent WooCommerce users from using breached passwords?
WooCommerce displays personal identifiable information (PII), e.g: name, phone number, address, etc, to returning customers. It’s important to PII from credential stuffing. Therefore, Disallow Pwned Passwords provides built-in support for WooCommerce.
If WooCommerce is activated, this plugin automatically rejects pwned password when:
resetting password on Home » My account » Lost password
changing password on Home » My account » Account details
new user registration on Home » My account
new user registration during checkout
Did you just send all the passwords to someone else?
No. User passwords never leave your server, not even in hashed form.
How do you compare user passwords with the 6,493,641,194 pwned ones?
To securely compare user passwords against the ones in the haveibeenpwned.com database, we need to ensure:
Let's see a real-world example:
(21BD1) 0018A45C4D1DEF81644B54AB7F969B88D65:1 (password lauragpe)
(21BD1) 00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2 (password alexguo029)
(21BD1) 011053FD0102E94D6AE2F8B83D76FAF94F6:1 (password BDnd9102)
(21BD1) 2DC183F740EE76F27B78EB39C8AD972A757:47205 (password P@ssw0rd)
Curious users can learn more from:
Can strong passwords be pwned?
Yes. Even long passwords like correct horse battery staple have been pwned.
[Password Strength - https://www.xkcd.com/936/]
How to choose a strong password
Short Answer: Use a password manager. For example: 1Password, LastPass, Dashlane, etc.
Longer readings:
The only secure password is the one you can’t remember
How to choose a good Master Password
Why Secure Passwords Need Length Over Complexity
I have installed this plugin. Does it mean my WordPress site is unhackable?
No website is unhackable.
To have a secure WordPress site, you have to keep all these up-to-date:
Besides Disallow Pwned Passwords, we strongly recommended these plugins as well: