It took independent security researcher Jeremi Gosney about six days to crack more than 90 percent of the 6.5 million SHA1 hashes exposed in the LinkedIn breach. He recovered a fifth of the plaintext passwords in just 30 seconds. In the following two hours, he cracked another one-third of them. One day into the exercise, he had recovered a total of 64 percent, and in the five days that followed he cracked another 26 percent.
A great insight into how passwords are cracked and why you should use use a strong, unique password. The article also mentions a computer, built with commodity hardware that “requires just 12 hours to brute force the entire keyspace for any eight-character password containing upper- or lower-case letters, digits or symbols.”
For a while now I’ve used two-factor authentication with my Google Apps account. That is the combination of something you know – your password – and something you have – in this case a free App for your smartphone that generates a new six-digit code every thirty seconds.
What I didn’t realise was that it was an open-source project that you could implement on any website or service that you cared to and that someone has helpfully created a WordPress plugin that does exactly that.
In the current version (0.38) there seems to be a bug where you can’t have spaces in the description field, but other than that it works a treat and I’ve already installed it on a couple of WordPress sites I run.
Note: the plugin requires SHA1 and SHA256 hashing algorithms to be available on the server. Helpfully it will check for these when it activates, so you don’t have to worry about tracking them down if your not sure.