There’s no escaping the simple fact that “passwords”, as a means of verification, are here to stay.
In the majority of cases, they’re the sole means of account verification.
If you’ve heard it once, you’ve heard it a million times: use strong passwords!
But “strong” isn’t enough. Here are some recommendations, which I’m sure you’ve heard before.
Passwords must be:
- long – shorter passwords are more easily cracked
- strong – a “suitable” combination of numbers, letters, upper/lower-case, punctuation
- don’t re-use passwords across different accounts/service
- don’t repeat passwords you’ve already used before
- updated – regularly change your passwords
Unfortunately, this is all a bit much for most people and overwhelm kicks in, resulting in simplistic passwords that rarely get updated.
What’s all the fuss about? Who’s gonna guess my password?
Before we go any further, we must stress the importance of password strength and how you maybe feel that you’re not a target.
You are a target. Every. Single. Day.
Not because you are you, but simply by the fact that you exist.
Automated bots that brute force or crack your passwords don’t care about you, they only care about gaining access. They’re built on the sound premise that the majority of users employ weak passwords.
Your dog’s name isn’t unique. Nor is your date of birth. Your maiden name isn’t special, and your son’s middle name has been chosen by many other people before you and since.
Please, if you get nothing else from this article, and without meaning to strike baseless fear into you, understand that you are a target, and your passwords matter.
You’re Only As Strong As Your Weakest Link
You’ve heard that one before, I’m sure. And for good reason.
You can secure your WordPress site, keep it up-to-date, apply patches, run scans, use CloudFlare and employ all manner of security protocols, but if your administrator passwords are weak, none of it matters.
This not only applies to you, but for every administrator on your site.
And if you’re using shared web hosting, it applies to every administrator on every site that’s sharing the web hosting.
What Is Your Current Password Policy?
Password Complacency is not a great security policy. It will come back to bite you.
This isn’t just about how strong your passwords are, it’s about every user with any access privileges on your sites and resources.
Unfortunately WordPress has no built-in way to enforce password policies.
Does Your Lack Of A Password Policy Align You With The GDPR? No.
Firstly, if you’ve never heard of GDPR, and you don’t know what it is, start here.
The GDPR is a scary word for many people at the moment. But it’s all about enforcing sound security practices alongside robust privacy safeguards.
Something we should be doing already.
Part of the GDPR stipulates that organisations should:
…implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…
We’re currently reviewing our policies and guidelines to ensure we’re compliant with GDPR rules. Part of this is the automated enforcement of password policies across all our WordPress websites and services.
With the Shield Security Password Policies in-place, we can now point to “appropriate measures”. These policies help ensure a high degree of security for user access control.
You’re not in Europe, so GDPR doesn’t apply to you? Not so.
If you or your customers do business with parties in Europe, or with parties that do business in Europe, you (and your customers) may be subject to GDPR compliance.
No organisation can itself be GDPR compliant, and at the same time have business operations that involve exchange of sensitive data with any other organisation that is not GDPR compliant.
Just to be clear, Shield Security does not “make” you GDPR compliant. But employing appropriate security measures to protect sensitive data plays a role in getting you there.
WordPress Password Policies Available With Shield Security
With the latest release (v6.6) of Shield Security, we’re providing several important password policy rules.
Passwords are checked at 4 key areas:
- Account Registration
- Forgotten Password Reset
- Profile Update
- Account Login (only applies when the option “Apply To Existing Passwords” is turned on. See below)
We talked about the Pwned Passwords API in a previous article. This option will automatically detect the use of “pwned passwords’ and prevent their use.
Self-explanatory – this rule isn’t so important, as it’s covered more comprehensively by the following rule.
The password strength indicator is based upon the now-famous zxcvbn password strength calculator.
Strength labels range from Very Weak -> Very Strong. These labels don’t align exactly with the WordPress password strength meter, so you may see conflicting results when you use this. But if you ever use the default password that WordPress provides when you reset your password, you’ll easily pass on both strength tests.
Of course, “strength” of a password is determined by many factors, and length is only one of those. It all comes down to “how long would it take for someone to crack my password”.
Apply To Existing Passwords
This lets you retrospectively apply your password policies to users and their existing passwords. When a password is found that doesn’t meet your minimum requirements, it’ll force the user to change their password before allowing any other actions.
Note: it can only test the strength of a password after the user next logs in successfully.
This will force any user to change their password after the expiration period (days). The counter for expiration starts from the next time the user logs in.
How To Get Access To WordPress Password Policies
The feature has the following requirements:
- PHP v5.4+ (more info)
- Shield Security v6.6+
- Shield Pro is required for all options except ‘Pwned Passwords’
Note: only the ‘Pwned Passwords’ feature will be available in the free version. All other password policy settings will be Pro-only.
If you have any questions or suggestions about this feature, please do let us know in the comments below.