Wordpress.com Security Breach
Wordpress reported mid last week that they suffered a compromise that involved an attacker getting root access to some of their servers. They haven't released much in the way of specifics of what has happened but indicate that usernames and passwords could have been compromised for those with accounts with the Wordpress site itself (as distinct from people who simply run Wordpress to power blogs on their on systems). This, once again, brings to the fore the need of using strong passwords for online sites and for using unique passwords for each site.
The bigger issue, however, is with the multiplicity of online sites and social media, the amount of accounts that individuals needs to maintain is vast. I counted my own list of accounts and just for the non-professional ones, I have 23 or so logins. Strong passwords help (particularly if they are over 12 characters) but there becomes the problem of remembering them all. Combine that with the fact most online sites use the "e-mail address" as the username, there is a big problem.
What mitigates this is deployment of decentralized authentication and OpenID is a good example. At that point, a user can keep a strong password in one place (and even better, use two-factor authentication) that is trusted. As far as I can tell, Wordpress.com doesn't allow OpenID to register a blog but can be set up if you maintain your own wordpress installation. The takeaway is, if you run an interactive online website, investigate using OpenID to register & authorize users. If you get breached, you no longer have a password that can be stolen to assume someone's online identity.
For users, where you can, use OpenID (or similar) schemes that let you maintain your online identity in one place. Facebook and twitter have similar features if you don't mind giving those companies the ability to data-mine what sites you interact with. Many sites still need you to create an account with a password before you can switch to OpenID. In that case, create the account, set up OpenID, then change the password to be strong and long and store it somewhere safe (in the off chance you need the actual password some day). A malicious individual still could "proxy" off an existing session and do bad things if they already compromised your PC, but you would not have to worry about the mass compromises that have hit Wordpress, Gawker and others recently.
--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago