Best practice of WordPress or CMS Password Security and Hashing

Passwords are a form of authentication that is tied to users or processes. They are used to validate the identity of a user or a process against a computer system or resources. In today’s modern web of ultra-connectivity, of IoT devices and mobile, password security is a more serious topic than ever. Password database leaks happen all the time, with major companies such as LinkedIn, Tumblr and Yahoo being affected. Couple years ago there was an event Massive database containing over 560 million passwords discovered that was found floating freely around the Internet!

So in this article, we’ll talk about three things related to passwords and WordPress:

  1. Strong password generation and management.
  2. How WordPress does password hashing.
  3. Implementing your own password hashing.

Weak and strong passwords

Password strength, in terms of brute-force complexity, is a topic of much debate, and the notion of how strong a password is has been largely redefined throughout the decades, as more powerful computing resources become readily available to the individual. World-renowned Security expert Bruce Schneier has written an excellent post discussing password security and how to choose secure passwords.

When talking about password strength one has to include the context and the threat level:

It is different and much more difficult when the attacker tries to guess your WordPress password than if he or she has compromised your security and has access to the entire hashed password list.

In the first situation, the attacker will become quickly blocked by the authentication service due to too many login attempts at a short period of time. Usually, attackers discover passwords through other means, different from brute-forcing, such as phishing, malware, and such. However if the target has chosen a password using relatively public information such as date, name/surname, etc then it makes it easier for the attacker to guess it.

In the second situation, if the attacker has access to the password file, it might just be a matter of time, particularly if the hash function used is MD5. It was broken and proven insecure a long time ago. The attacker can use modern hardware (like GPU boards) combined with precomputed “rainbow” tables to decrypt the entire password file in very little time. Additionally, in some extreme cases, the passwords for all users are stored in ‘plaintext’ in the database. In both these cases, the “strength” of your password is nullified.

How to generate and store strong passwords

It is best to leave the password generation and management to a computer you trust, instead of trying to think strong passwords regularly. You’re human and inevitably you will err and pick something that a computer regards as a weak choice.

Using a password manager to generate and store passwords for every service is efficient and with the least amount of threat. While the thought of keeping all of your passwords in one place can be unnerving, it is actually a plus: by knowing that all of your passwords are in one place, you can secure them easier. No more using random pieces of paper or permutations of weak passwords that you can easily remember but they can easily be guessed. Also, a password manager can help you generate strong passwords without any fuss.

The most popular (and expensive) choice is 1Password, but you can try and use the one supplied in your operating system (such as Apple’s iCloud KeyChain) or like in Tenten we use an open-source multi-platform solution such as BitWarden.

WordPress password hashing

Password hashing is a technique whereby the plaintext password is passed to a hash function and converted to a long alphanumeric value. WordPress uses this to store them in the database, preventing prying eyes from reading the WordPress passwords directly. When you log in to WordPress and send your password, it computes the hash and compares it with the one in the database. If it is the same, you are granted access, if not, you are denied it. This method works because a specific text string (a WordPress password in this case), will always generate the same hash value. Since a hash value cannot be converted back to the original text, WordPress can only know you’ve entered the correct one, if the hash value of the password you supplied and the one that is stored in the database are identical.

By default, the WordPress wp_hash_password() function uses an 8-pass MD5 algorithm to generate hashes. However, MD5 has been successfully broken using a combination of modern hardware and a technique called rainbow tables that holds a massive amount of precomputed values. These help an attacker try billions of combinations per second, on just one modern GPU.

Implement your own WordPress password hashing

In Tenten we use Wordpress development in
Roots.io (the people behind the Trellis, Bedrock and Sage boilerplate WordPress system) have also released a WordPress plugin that implements bcrypt functionality for the default WordPress hash functions.

Conclusion

In order to ensure that you use strong passwords and change them frequently, it is best to use a password manager. This can help keep all of your passwords organised in one place and remind you when it is time to change them. When it comes to password hashing, it is best to use a cryptographically secure algorithm like SHA-2 or Bcrypt instead of falling back to WordPress’s default. Rolling your own hash function is best avoided, as one mistake can introduce security issues.