WordPress.com security violated

Posted on 2011/04/14


Here’s the public announcement: Security Incident — Blog — WordPress.com.

Why are they emphasizing having a strong and unique password? I think it’s the right thing to suggest in this case. My understanding is that the attackers could have accessed the database containing the users’ obfuscated passwords. Usually the passwords are salted and hashed (and I trust that WordPress.com does this) and so does WordPress.com, which means an attacker can’t, directly:

  • read the passwords (because they are hashed)
  • understand if a user has the same password as another user (because they are salted)
  • perform an efficient brute-force attack if the password is strong (because hash functions are difficult to invert)

In my opinion a brute-force dictionary-based attack could give good results if they got hold of the data of a large set of users. This because, with respect to attacks targeted to a single user, the common passwords can be tested one by one on all users, and statistically it’s very possible that one of them has an easy-to-guess password. The attackers could reach the low hanging fruits, while the users with good passwords are exponentially more costly to attack. For this reason I believe most of us are very safe, and the ones that should be preoccupied are those with weak passwords; once they got hold of their “secrets”, the most common thing to do is try to reach their other accounts, specifically the e-mail, by trying the same password or other variations. Another follow-up could be the modification of the links in the compromised blogs to point to their own malicious websites.

If the attackers want to target specific users, I think the economically smart thing should be to pick the “important” ones, as suggested in this PCWorld article. The common users should feel reasonably safe.

I’m confident that WordPress.com is doing a good job: no one is really able to defend against all attacks, not even RSA. That said, I’m changing my password anyway, just in case the attackers are targeting specifically me and in a couple of months they manage to crack the salted password that they stole yesterday.

Posted in: Security