Weak WordPress passwords continue to undermine the security posture of the platform. Remember the FastCompany breach in September? The hackers have claimed to have gotten access to the WordPress CMS by utilising a simple default password on scores of accounts.
The best analogy possible has been used by so many writers on so many instances that it has almost become a cliché: you get the best lock possible, and you just give the keys away! And the situation in 2023 does not look much different, according to a new discovery.
Strong WordPress, password weak
Researchers at Italian computer and network security company Red Hot Cyber discovered “well-known Russian-speaking underground channel” on Telegram where logins to the WordPress administration panels are constantly published.
The latest tranche had the details of over 2,800 users.
“After sieving through them, we found 101 users belonging to Italian sites. These details are provided freely downloadable for the followers of the channel,” said the report.
There was no shortage of administrative credentials where the password for the ‘admin’ account is, you guessed it right, ‘admin’.
“This suggests that we are still a long way from the security of a seat belt or a full-face helmet!,” said the report.
The researchers listed the entire WordPress panels that have been reported in the underground forum, urging anyone who identifies with these domains to initiate a mass password reset.
“This information breach is certainly the result of infostealers and botnets. Still, we advise you to adopt robust password policies, which allow users to avoid entering trivial predictable passwords as in this case,” said the report.
WordPress password: manual vs machine-made
“Unless your password was created by a good password generator, it is crackable,” wrote Jeffrey Goldberg, Principal Security Architect at 1password.com.
For instance, there are quadrillions of possibilities for 12-character passwords, and it would take many millions of years to try them all. However, hackers do not try all the possible passwords, he pointed out.
“The cracking systems will try things like Fido8my2Sox! and 2b||!2b.titq long before they try things like the machine created zm-@MvY7*7eL. Passwords created by humans are crackable even if they meet various complexity requirements.”
Therefore, the quadrillions of possibilities are not as important as whether the password chosen by a human will be among the few billion that attackers try first. In other words, the relevance of all those possibilities depends on whether all of them are equally likely, he explained.