: How to find out the strength of the Wordpress (already stored) password? I am responsible for security of lots of shared hosting server. Most of them are having WordPress websites. Each server
I am responsible for security of lots of shared hosting server. Most of them are having WordPress websites. Each server is having at least 500 WordPress websites.
In my expereince, the issue with WordPress starts with weak password. Most of the website admin password is very weak and using the weak password website is exploited and used for various malicious activity.
Now my plan is to find out the weak password of the WordPress website and forcefully change the admin password to some other strong password.
So that, WordPress can be secured and my server will not be in a trouble.
What is the way to know the strength of the stored WordPress password ?
More posts by @Lengel546
8 Comments
Sorted by latest first Latest Oldest Best
Bruteforce hashes
You could bruteforce the hash that is stored in the database.
WordPress uses phpass for hashing. Per default, WordPress does not use blowfish or similar, but just md5 with an iteration count of 8192. If you just want to find really bad passwords, bruteforcing is certainly feasible.
But I would consider this a rather big violation of the trust that the users put in you, so I would not recommend this approach.
Analyze their passwords when logging in
You could add a script that intercepts all requests to WordPress login scripts, and log or analyze the passwords, as they are in plaintext at that point.
Of course, this only catches weak passwords once a user actually logs in. If they have abandoned their site or are rather inactive, it may take a while for you to discover that they use a weak password.
I would consider this an even bigger violation than bruteforcing the hashes, and it also carries some security concerns with it (if you store the passwords in plaintext, this would obviously be a concern, but even if not, you may accidentally store some information from the analysis which may help an attacker).
Implement a Password Policy (and force users to change their passwords)
You could implement a password policy. When a user submits a new password, you would check if it complies with your policy or not (ideally, this would happen server-side, not client-side via JavaScript).
Writing a good password policy is difficult, so take a look at existing policies to help you here.
Of course, old passwords are not affected by the policy, so you need to force users to change their old passwords to comply with the policy
Limit Damage
Enforcing strong passwords can certainly be a good idea, but ideally, a hacked WordPress instance shouldn't really affect you as the webmaster.
You should want to limit the damage once an attacker has gained access to a WordPress installation. Ideally, you would want that only that one instance is affected, not your whole server (so you may worry about an attacker putting indecent content on a website - just like a valid user might do - , but not about code execution, or other malicious activity).
This is a rather broad topic, but some points include: DISALLOW_FILE_EDIT, limited the use of plugins (as they are far less securely coded than WordPress itself), disallow JavaScript (eg with multisites, only super-admins have the right to post JavaScript, not admins), etc.
Try to brute-force it using a dictionary attack
What a better way to assess the strength of you password? :-)
Yes I know, it'll take some time...
Otherwise, you could simply assume all the passwords are weak (I'd say that's gonna be a very accurate assumption) and create yourself the passwords, store the hashes in the database and give the plain text password to the admins using a "secure" channel
Otherwise, assume again all the passwords are weak and force the admins to change them, and use a very picky password strength validator on the website itself.
WordPress passwords are hashed, like any sensible application would when it comes to storing passwords because storing clear text passwords is very insecure since your users might have the same password for other services they use (think gmail?).
Its not possible to convert the hash back to the password, else one might as well store them in clear text. Passwords earlier used to be hashed with MD5 but that was proven insecure by a security team, so hashing algorithm was updated to phpass.
Tip: WordPress can still manage to hash it correctly even if you update MD5(%password%) into the sql column.
Now the practical way to approach what you are trying to do for a single site is to indeed force a change of passwords by changing the column to something else and enforcing password strength requirements at the page where they are going to update their password. But your use case requires doing this on so many WP installs and those site owners might not appreciate you doing this without their consent. So, you definitely have to limit the scope of impact of your actions.
1) Update passwords only for admins, editors, but that you require you to find who those users are. Email them and then enforce the password restriction on reset password page / registration page etc. Remember someone can have those forms elsewhere on the site (think AJAX forms too). Creating a WP-CLI command who help you here in executing this plan, rather than loading WP environment and running scripts.
2) Generating a rainbow table which consists of a hashed password for a known string (password). And then you basically have to match the hashing with a particular user's password and evaluate the strength of that password. Generating the table is the slowest step here as you have to hash each possible password that there can be, store it on disk (several GBs depending on the length & combination of passwords you are accounting for) and then act on results. 99% sure its an overkill solution for your needs.
Tip: You know those salts and secrets we have in wp-config.php file. Changing them invalidates logged in sessions, just in case you ever need that.
You can't forcefully to change wp admin password, unless you have no control in each wordpress database, which is stored in phpmyadmin.
And no, there is no any quick way to find out week password on 500 wordpress site. Josip mention one link to checkout password strength, but that site did not using md5 crypto algo to checkout password strength.
Checkout this SO Link, (Wordpress using MD5) and you will see the output is different than that app. So as you see p#aSS*Word14 is not secure than Dance With Me Tonight So don't use thirt party app to check your Wordpress password, because may be they are using another crypto algorithm to check/assume password strength.
Also you should have all the passwords, and test it one by one, there is no any magic trick to find out quickly.
Another thing is that, If one WordPress site is hacked then it did not affect other wp site in same server(Except DOS attack). I have seen many of people start wp in shared hosting, and their site is getting hacked, but still their neighbor site was running fine, because each wp has it's own database on phpmyadmin.
As the passwords are hashed, the only way to test their security is to brute force them. Gather a list of commonly used, weak passwords and test them against the hashes stored in your database.
Unless you use a very exhaustive password list this won't catch all of the weak passwords, but it will filter out the weakest of them.
As previous answers have pointed out: you cannot read the stored passwords.
An alternative solution could be:
Implement the suggestion by Josip Ivic to enforce strong passwords.
Delete all passwords (or only passwords for users with certain privileges).
And finally, inform the affected users that a new password policy is in effect and direct them to /wp-login.php?action=lostpassword to reset their passwords.
The good news are that you can change users passwords, the bad news are that you cannot see them.Wordpress is so powerfull that even in the database it stores the password with one way encryption it's not just an md5 hash you can convert, it's not even serialized data, for the password test123 you would get something like $P$BjW8o9Dm1vC5bwAcP1iAdNVm0lbvn, also even if you change the password field in the database without using encryption, it wouldn't work.
How to change the password
I believe you are aware of this but I'll just leave it here.
You can enter your wordpress dashboard with admin privilegies, go to users, find a user and this part is kind of bad for you purposes because you must click on generate new password, it will give you some random soup of letters and symbols and you can edit it with your own but even then you cannot see the password.
I'm not sure that this is even possible. When you select your password, it's stored hashed in database. There's no reverse enginering when comes to hash algorithms.
In my experience, script for password strenght is located in example.com/wp-admin/js/password-strength-meter.js, and this is the link to it.
You can change levels and percentage for passwords here, so you can set a mandatory password strenght to 100/100.
And, if you want your client to check password strenght, there's cute application that can give you password strenght here.
It's impossible to do some reverse enginering here, and in addition, there are few plugins that are forcing users to get strong passwords.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.