This all started, innocently, yesterday as I was going through some online accounts that I have registered to an old email address. I bought my wife some Jo Malone perfume last year, I think, and, as a result, I now have an account on their site. But, and unfortunately they’re not the only site to […]
At the moment, I’m having a ‘discussion’ with British Airways on Twitter. Sadly, it’s not the first time I’ve had a similar conversation with a company. Here’s the initial part of the problem – when you try and change your BA password, it gives you the following guidance for the password… So, the password has […]
Since late last year I’ve been going through a process of adding complex, long and individual passwords to all my online accounts. I’m still doing it, albeit the less important accounts. Today I looked at bt.com. I don’t use them but still have an account set up from when I used to use them.
Now, by default, I try and use a 50 character randomised passwords, complete with numbers and symbols, which is generated by 1Password. Some sites have length limits so this, sometimes, need adjusting. The BT account page lists no such limitations, so what could go wrong?
At a recent visit to a local WordPress meetup, the question of how we should secure our WordPress websites came up. Not from a business angle, but for regular at-home bloggers.
So, here’s my 2¢ worth.
On the same day that a security searcher released details of a vulnerability in the way WordPress deals with password resets, I too reported a security issue. Well, more of a concern.
For a while I’ve noticed that more and more sites are not telling you, when you do a password reset, if the email you’ve entered is valid or not. They’ll, instead, give you a message along the lines of “if that email is valid, we will send you details on how to reset your password”. That way you can’t use the password reset feature to fish for people’s emails.
But WordPress doesn’t do that. Enter a user name or password and it will tell you if it was valid or not.
Hey Churchill, is your website security appallingly bad?
The next time you sign up for a website or you click on the ‘Forgotten password’ link and they email you your password…. run! Delete your account and don’t use them.
Let me explain why.
As part of my new job online security is paramount. To this end, for a number of months I’ve been ploughing through my online accounts and updating passwords to be unique and strong. A password manager is essential to this – I use LastPass but 1Password is also recommended. I also changed my email address recently too so I’ve been taking the opportunity to update that as well.
Unfortunately, some websites, and retailers in particular, don’t seem to want to help out, making it difficult, one way or another, to be as secure online as you’d like.
So, you’ve created open source software to make it easier to provide update signing. It requires auditing but you ask WordPress to implement it with their system but, for now, they decline, simply because it’s not something immediately planned. However, Matt Mullenwegg agreed to donate towards getting the audit done.
What would you do the next day?
I’m guessing it wouldn’t involve posting a massive rant about WordPress, but specifically aimed at Matt, about how much WordPress doesn’t care about security, even to the point of trying to make popular a hashtag of #StopMullware? Well, that’s just what Scott Arciszewski did, via Medium.
For some time I’ve been using LastPass to manage my passwords (other password managers are available!) but have never fully moved over to using it full-time, because of the ease of just getting Chrome to remember my password instead.
Well, I’ve decided, and there are very good security reasons for doing so, to move full-time to LastPass. But how to do it?