Site security: Use pass phrases and not complex passwords

An excellent article on how to enforce pass phrases and why they outperform traditional ‘secure’ passwords with complex rules.

It’s also much easier, and less frustrating for your users.

Why passphrases are more user friendly than passwords

I recently had to change my Atlassian password. The password input placeholder read ‘A few words you’ll find easy to remember’. Nice to see they’re following this advice.

Phishing attacks keep getting smarter.

Listening to the StackExchange podcast this morning, and they discussed an interesting question.

How was my mums gmail account hacked?

Turns out this mom received an email from a friend, and clicked the link. It opened a whole number of browser tabs schilling medical supplies.

The mother dutifully closed them all, and then came to a tab informing her that her Gmail session had expired. She entered her credentials, and continued on. This is when the emails started flying.

Reading through the question, it appears this phishing attack is quite smart. It shows the session expired screen as each of the supported services would display it, and then likely uses the credentials immediately. The individual answering the question hypothesized that 2-stage authentication wouldn’t necessarily help in this case, as the site behind this could take the entered credentials, attempt to login immediately, and if it got the 2-stage request, forward it to the victim.

Bottom-line: Be VERY leery of ANY links in emails. Don’t login to a site unless you’ve used a bookmark or typed in the URL yourself. Maintain unique passwords for all sites (A password manager is very helpful here, and there are several available).

WordPress security

I run a WordPress blog, and recently decided to implement some security precautions. One of the first things I did was install the Limit Login Attempts plugin and activate it.

In the course of 2 months, I now have well over 1000 locked out attempts. All of them are trying to login as admin.

So, my recommendation is like most others. Don’t use the admin user, or rename it if you did, and install the Limit Login Attempts plugin and activate it!

Sending sensitive data via email

A new site has come to my attention for sending sensitive data to another user. Assuming the site actually does what it says, this can be very useful.

https://noplaintext.com/ takes a message, and provides a URL. They say the text is encrypted on your own machine, and then uploaded to their servers.

You then email the link to the recipient. They can click on the link once to see the contents. NoPlaintext then deletes the payload, so the link can only be used once.

The basic idea is they generate a hash. The hash is used for encryption locally, and also appears in the link. They claim they make no record of the hash.

The recipient also has the hash, so can run the decrypt to see the text.

Seems like a much better way to send passwords or other sensitive data through email.