Creative

New Google-approved sites for Squared Online

New site for Squared Online by Itineris

Announcing disallow pwned passwords

Admins know it’s key that WordPress users have secure passwords to keep web security watertight. But do you know if your WordPress users are accessing your CMS with insecure ‘pwned’ passwords? And do you know the risk?

What is a pwned password?

Pwned passwords are over seven billion real-world passwords that have been exposed in data breaches. This exposure makes them unsuitable for use as they’re at much greater risk of being used to take over other accounts. They’re searchable online at the Have I Been Pwned database.

Have I been Pwned?

What’s the risk?

People using pwned passwords can pose a serious risk to your cybersecurity. When hackers undertake a brute force attack – using passwords to take personal information or spend users’ hard earned money through your site – it’s usually the site owner/developer who gets the blame.

The National Institute of Standards and Technology has issued guidelines for federal agencies implementing digital identity services, which state:

When processing requests to establish and change memorised secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example…
* Passwords obtained from previous breach corpuses

NIST Digital Identity Guidelines

If federal agencies are doing it, we recommend you do too.

How do I check our WordPress site isn’t using any pwned passwords?

To help reduce such incidents, we have created a WordPress plugin to prevent users of WordPress and WooCommerce from reusing passwords listed in the haveibeenpwned.com database.

Explain how it works like I’m five

  • Troy Hunt, a well-known security expert, collected over seven billion pwned passwords from previous security breaches
  • Pwned passwords are stored as SHA-1 hashes on haveibeenpwned.com
  • Whenever WordPress/WooCommerce users attempt to change their passwords, our plugin hashes the user’s password
  • It takes the first five characters from the hash
  • The plugin then asks haveibeenpwned.com to cross check for all pwned passwords with the same first five hash characters
  • It then checks how many times the password appears on the haveibeenpwned.com database
  • It will then disallow the password change if it has been pwned

How to forbid WordPress users to use pwned passwords

  1. Download and install Disallow Pwned Password from WordPress plugin repository
  2. Activate and forget it!

Once activated, Disallow Pwned Passwords automatically intercepts when:

  • creating new users on /wp-admin/user-new.php
  • changing other users’ passwords on /wp-admin/user-edit.php
  • changing your password on /wp-admin/profile.php
  • new user registration on /wp-login.php?action=rp

If the new password is found in the haveibeenpwned.com database, the plugin rejects the change.

Disallow Pwned Passwords - WordPress Core

How to prevent WooCommerce users from using breached passwords

WooCommerce displays personal identifiable information (PII), e.g: name, phone number, address, etc, to returning customers. It’s important to PII from credential stuffing. Therefore, Disallow Pwned Passwords provides built-in support for WooCommerce.

If WooCommerce is activated, this plugin automatically rejects pwned password when:

Disallow Pwned Passwords - WooCommerce

Did you just send all the passwords to someone else?

No. User passwords never leave your server, not even in hashed form.

How do you compare user passwords with the pwned ones?

To securely compare user passwords against the ones in the haveibeenpwned.com database, we need to ensure:

  1. user passwords never leave WordPress web servers
  2. the haveibeenpwned.com database provides information about a password without knowing which password it is

Junade Ali from Cloudflare comes up with a solution utilising a mathematical property known as k-Anonymity and applies it to password hashes in the form of range queries. (See: Validating Leaked Passwords with k-Anonymity)

Let’s see a real world example:

  1. User wants to change his password to [email protected]
  2. Disallow Pwned Passwords hashes [email protected] into 21BD12DC183F740EE76F27B78EB39C8AD972A757
  3. The plugin takes the first five characters from the hash, i.e: 21BD1
  4. The plugin retrieves all breached passwords and their pwned count with the same hash prefix:
    • (21BD1) 0018A45C4D1DEF81644B54AB7F969B88D65:1 (password lauragpe)
    • (21BD1) 00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2 (password alexguo029)
    • (21BD1) 011053FD0102E94D6AE2F8B83D76FAF94F6:1 (password BDnd9102)
    • (21BD1) 2DC183F740EE76F27B78EB39C8AD972A757:47205 (password [email protected])
  5. Within the WordPress web server, we find the pwned count (e.g: 47205) by comparing the hash suffix
  6. The plugin rejects the change and displays the error message to the user

Curious users can learn more from:

Can strong passwords be pwned?

Yes. Even long passwords like correct horse battery staple have been pwned.

Password Strength - https://www.xkcd.com/936/

How to choose a strong password

Short Answer: Use a password manager. For example: 1Password, LastPass, Dashlane, etc.

Longer readings:

I have installed this plugin. Does it mean my WordPress site is unhackable?

No website is unhackable.

To have a secure WordPress site, you have to keep all these up-to-date:

  • WordPress core
  • PHP
  • This plugin
  • All other WordPress themes and plugins
  • Everything on the server
  • Other security practices
  • Your mindset

Besides Disallow Pwned Passwords, we strongly recommended these plugins as well:

  • WP Password Argon Two – Securely store WordPress user passwords in a database with Argon2i hashing and SHA-512 HMAC using PHP’s native functions
  • WP Cloudflare Guard – Connect WordPress with the Cloudflare firewall to protect your WordPress site at DNS level. This allows you to automatically create firewall rules to block dangerous IPs
  • Two-Factor – This adds Two-Factor authentication to WordPress
  • wp-password-bcrypt – Replace WP’s outdated and insecure MD5-based password hashing with the modern and secure bcrypt algorithm

Written by

Developer

Tang Rufus

Leave a Reply

Your email address will not be published. Required fields are marked *

Background image