If you are anything at all like me you have accounts on scores – or hundreds – of different websites. The sad fact of the matter is that the chances are high that several of those sites will suffer a serious security breach over the course of a year.
WordPress.com, which hosts a large number of blogs, recently reported that they had been breached. I’d really like to complement the people at WordPress for their clear disclosure of the breach and for recommending that users make use of a good password management system. They include 1Password at the top of their list.
We may never know the numbers, but it is a fair guess that many breaches go undiscovered and that many of those that are discovered are not publicly disclosed. So what we see reported may just be the tip of a very large iceberg of web server break-ins.
It isn’t clear whether attackers were able to capture user passwords (encrypted or otherwise) in the WordPress breach, but we should assume that at least the encrypted passwords stored on the server are in the hands of the bad guys. If you post or comment to a wordpress.com hosted blog, it’s time to change that password.
Breaches like this are very bad news for people who use the same password in multiple places. If your password gets discovered at site A, but you use the same password for sites B, C, D … X, Y, and Z then all of those logins are vulnerable. That is the problem of “password reuse.” But if you have been using 1Password with its Strong Password Generator, you are not only getting strong passwords for each site, but, more importantly, unique passwords for each site.
I know that many of our regular readers may be getting tired of me rattling on about password reuse. I promise that my next blog post will be about something else. But for those who haven’t seen it yet, please take a look a our tips for finding and cleaning up duplicate Logins.
While we do use WordPress (and we love it), our blog isn’t hosted on wordpress.com, so logins here aren’t affected by the breach.