Slide 1

Slide 1 text

WP Chattanooga 2/6/2017 Securing your SELF (Basics)

Slide 2

Slide 2 text

Passwords

Slide 3

Slide 3 text

How do they work? - User inputs password - Website “hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in

Slide 4

Slide 4 text

Yours are bad and you should feel bad.

Slide 5

Slide 5 text

The Math of a 6 Character Password Character Types Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s

Slide 6

Slide 6 text

AVERAGE Math of a 6 Character Password Character Types Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h

Slide 7

Slide 7 text

“Real” Math of an AVG 8 Character Password Character Types Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr

Slide 8

Slide 8 text

Solutions for Brute Force

Slide 9

Slide 9 text

Plugins to Detect Brute Force - Jetpack’s “Protect” feature - iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security

Slide 10

Slide 10 text

But none of that even matters.

Slide 11

Slide 11 text

YOU are the weakest link, even with the best brute force plugin.

Slide 12

Slide 12 text

You likely have been or will be pwned. https://haveibeenpwned.com/

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Solutions for Being Pwned

Slide 15

Slide 15 text

Password Manager Options - LastPass - Password Manager (I use this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm

Slide 16

Slide 16 text

Password Manager - Generates a (truly) random password for every site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection

Slide 17

Slide 17 text

What is 2FA?

Slide 18

Slide 18 text

How do you identify yourself? Three vectors: - Something you are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)

Slide 19

Slide 19 text

Two Factor Authentication

Slide 20

Slide 20 text

WordPress 2FA Methods - Clef - Duo - Authy - Google Authenticator - Rublon - WordFence

Slide 21

Slide 21 text

But none of that even matters.

Slide 22

Slide 22 text

YOU are the weakest link, even with the strongest password manager

Slide 23

Slide 23 text

Encryption (SSL / VPN)

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

WITH Encryption (SSL / VPN)

Slide 26

Slide 26 text

PWNED Username / Password / Credit Cards

Slide 27

Slide 27 text

WITHOUT Encryption (SSL / VPN)

Slide 28

Slide 28 text

AWW :( 8a34ee6f0378bc4637635f771e966af1

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL - SSL Insecure Content Fixer - WP Force SSL

Slide 31

Slide 31 text

Easy VPN Services - PrivateTunnel - PIA (Private Internet Access - Tor OR, set up your own on: - Linode - Digital Ocean - AWS

Slide 32

Slide 32 text

EL FIN