WordPress.org

Forums

Why changing original user name is now critical for security (10 posts)

  1. donshapiro
    Member
    Posted 1 year ago #

    There have been discussions in the past about WP giving us the ability to change the original user name that becomes the log-in name. Yes, there are some good reasons not to allow this such as someone locking themselves out and other inconveniences. But the times have changed so dramatically from a security perspective that it makes sense today.

    1. Most users set up WP with a log-in that is their name. Even a low level amateur hacker can find that out in the source code. So now they take that name and try to hack into your WP. This leaves us with only one defense...a really tough password. Just how many WP users actually have difficult to crack passwords? Probably not a lot. The technical savvy do but they are a minority of users. For the average, everyday WP user, simply changing their user name to something that can't be found in the source code would dramatically reduce hacks.

    2. And now the really bad news for the techie community. Hackers are getting more and more sophisticated. We all know this. It's like the old Road Runner cartoons where Wiley Coyote tries to get the Road Runner and the Road Runner just barely manages to outwit him. This is the constant battle we face in security. No matter what we do, Wiley Coyote figures it out and then we have to do something even more sophisticated. Anyone who knows anything about security is aware that today you need a password which has a long string of special characters. That is more important than numbers and caps by about 1000%. What percentage of WP users actually use passwords like that? Probably not a lot. We do need to educate them that this is critical today.

    But even the best passwords are not going to be enough with the way Wiley Coyote works. Hackers are figuring out ways to crack special character strings though it still takes a really powerful computer to run millions of those sequences.

    Today, we have hackers who focus on WordPress sites. They detect its WP, find the user name usually from the source code and then try to hack in. My 404 tracker shows hundreds of log in attempts every week.

    So, the next step in computer security, not just for WP but all types of computer access, is the elimination of an an easy to remember user name and replacing it with something that is just like the best passwords we now use. If you have a 12 character user name that combines characters, numbers and special characters and a different 12 character password, the potential for being hacked would be the lowest possible, a fraction of the risk of just using the best passwords today.

    Of course, if WP were to allow us to change our user name, there would need to be additional protections and warnings built in so people wouldn't do this overly quickly. Statements asking if you have saved this user name somewhere and are you sure you want to change how you log on to WP would need to be added as a safeguard. There may be other tools that need to be added as well. Are users aware that they shouldn't be typing in passwords and instead copying and pasting them just in case they have a keystroke virus installed in their computer?

    It's simply time to ramp up our security defenses to the next level. We also need to do a better job of educating the average user about passwords so all WP sites have the best current protection possible. So yes, I'm recommending that as standard, everyday, universal computer access security, we have to copy and paste two different long strings, one for the user name and one for the password. It is definitely a brave new world. And shortly, WP and all other computer systems and software may need to add a third field with one or two characters to multiply the sequence complexity by another 40 to 80 moving it from the hundreds of millions to hundreds of billions of combinations or even higher.

  2. leejosepho
    Member
    Posted 1 year ago #

    Are users aware that they shouldn't be typing in passwords and instead copying and pasting them just in case they have a keystroke virus installed in their computer?

    I typically do that to avoid typos and did not realize it also thwarts key-loggers.

  3. donshapiro
    Member
    Posted 1 year ago #

    It's a little scary out there. I don't know what formal research has been done about what WordPress users do and don't do but I can only imagine based on talking to many of them. Most people on the internet including the average WP blogger just don't have a clue about security. Those that do know its important may put a couple of numbers and capitalized letter in their password and that's about it. Between those who use easily hacked passwords and those who use just a little bit more, we are probably talking about 90% of all users.

    Yes, copy and paste is critical to thwart the key stroke trackers. Never, ever type a password into anything. Period. Even if you have the world's best malware protection, Wiley Coyote could develop a new way to slip in a tracker before the security people close the loop.

    I believe I'm estimating low when I say that 90% of computer and internet users are not properly protecting themselves. It's probably closer to 97%. We are fighting human nature here. People want to use things they can remember for both their user name and their password.

    WordPress.org and WordPress.com along with the entire development community needs to embrace a major educational campaign for all users about proper security. The most basic rules I can imagine that everyone should be using are these 2:

    1. copy and paste passwords
    2. A password should have at least 14 characters with 10 of those being at least 2 different special characters and the other 4 a combination of letters and numbers with one of the letters being capitalized. Longer strings of special characters are even better.

    Let's work together to make all WordPress websites safe and secure.

  4. leejosepho
    Member
    Posted 1 year ago #

    Wiley Coyote could develop a new way to slip in...

    He failed at everything, actually, but hackers do not. Also, a username and a user's display name should never be the same for everyone to see.

  5. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    There are several plugins available that enable you to change your username. See: http://wordpress.org/plugins/search.php?q=change+username

  6. donshapiro
    Member
    Posted 1 year ago #

    Oh yeah, that's number 3 - username different than publicly used name. The big three.

    Hackers succeed because they run strings through computers to find matches. The most difficult the strings the longer it would take to crack which defeats their need to do things quickly. They can't afford to have their system tied up for several days just trying to hack one password. Now, if they had to run two different difficult strings and get an exact match on both to get in, it would probably require an IBM super computer running for at least a day or two which in the hacker world would be months to try to crack one account.

    Maybe a better metaphor for hackers is The Borg!

  7. Andrew
    Forum moderator & snail smusher
    Posted 1 year ago #

    Surely there are tools to debug copy-and-paste data by now, I wouldn't assume that this is safe or safer than keying.

  8. donshapiro
    Member
    Posted 1 year ago #

    Yes, I'm aware of those plugins. This is not about me. This is about WordPress. How many WordPress users even use plugins? How many of them would even think they need to change their user name? We have to start thinking like the average Joe and Mary WordPress user and what they are going to need to protect themselves.

    Plugins work around and often outside of the WP database which is quite secured inside the host. Hackers can detect the plugins through the source code and get around some of them. We need rock solid user name protection from within the codex itself, not from plugins. Don't get me wrong. I love plugins and use a lot of them. This is core.

    Even though most WP users would scream bloody murder, maybe we need to force this change at the codex level by requiring 14 string passwords with certain parameters even to install WordPress and then do the same with the user name. If this was required at the beginning just to use WordPress, everyone would be secure. Of course, there would need to be good explanations as to why this requirement is being imposed on everyone.

  9. leejosepho
    Member
    Posted 1 year ago #

    Maybe a better metaphor for hackers is The Borg!

    I suspect there is a spectrum with the undefeated Yogi Bear on the other end still opening any picnic basket he sees anywhere.

  10. leejosepho
    Member
    Posted 1 year ago #

    I received this is an e-mail from my ISP this morning:

    The information indicates that your Internet connection was being used to provide DNS services to a zombie computer network, also known as a Botnet. Infection details:

    Type: ZeroAccess
    Source port: 62397
    Destination IP: 68.xx.xx.224
    Destination port: 16471

    Botnets are networks of compromised computers under the control of a hacker or group of hackers. Botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of malicious software.

    To address this problem...

    I ran a couple of scans and all is clean here, so I suspect that came from my clicking some of the strange-looking referral links I occasionally see at my sites.

Topic Closed

This topic has been closed to new replies.

About this Topic