undefined | Better HN

0 pointsprogmetaldev1y ago0 comments

Unless your users reuse passwords on other websites, then it is remarkably easy to enter a website. Increasing password complexity doesn't solve the issue with password reuse, and can often have users writing their passwords down on post-its around their desk/monitors.

0 comments

dec0dedab0de1y ago

Increasing complexity makes it harder to brute force hashed and salted passwords from a database. But yes if it is already leaked then you have a problem.

Though I would say that checking against haveIbeenpwnded or another service is a much better mitigation against that.

And 2fa is even better than both.

The truth of the matter is that the owners of most wordpress sites really do not care if it is hacked. Especially if they have a semi decent backup strategy. It is used in so many low stakes deployments that it is kind of silly to force certain levels of security.

Remember it is always about risk/reward. The most secure computer is the least usable one.

progmetaldevOP1y ago

I do agree, but with the popularity of Wordpress, I see more and more larger companies using it as a solution. I think the bigger issue is having the site penetrated, then silently serving up malware to your clients, than defacement or anything that would receive attention. I'm not familiar if there is a plugin or solution for integrating a password checking service with Wordpress. I know that it's not difficult to integrate with other CMS solutions.

j / k navigate · click thread line to collapse