Seanooi.net

An Anthology of Stochastic Thoughts
←  

How secure is your login?

Posted under Tips | Leave a comment →

Security has been an issue that is frequently talked about, especially internet security. No one wants their personal information known to outsiders, and they would be very cautious when dealing with those information. But unfortunately, not everyone shares the same belief, and the first thing that came to mind is this quote I found a few weeks back.

What is the difference between Mark Zuckerberg and me? I give private information on corporations to you for free, and I’m a villain.
Zuckerberg gives your private information to corporations for money and he’s Man of the Year.
Julian Assange

Regardless, Facebook still has a HUGE user base. Some people actually have their home address and phone numbers posted on Facebook and sadly they don’t really care if their information gets exposed.

Back to what I wanted to talk about, while WordPress.com handles your login securely with a TLS/SSL connection, self hosted WordPress blogs do not unless you have an SSL certificate, and they don’t come cheap, typically around $50-$300 or more per year, depending on which vendor you choose, and which services you need.

Usually when you log into your self hosted WordPress blog, your username and password is transmitted in plain text. Meaning any regular packet sniffers will be able to find out what your username and password is. The screenshot below is the login packet I took when logging into my own blog without any encryption. The username and password I used are

Username: demo
Password: demo123!

Unencrypted

Unencrypted

If you’re wondering, %21 is the hex code for !. So as you can see, a fully exposed username and password.

Well, as I’ve said, SSL certificates aren’t cheap, and I don’t plan to fork out a huge sum of money to get one. But I found a nice plugin that somewhat encrypts your password (but not your username) before transmission called Semisecure Login Reimagined It’s not a totally secure way of dealing with passwords, but it’s a free way, and it it fits my needs nicely. The screenshot below is the login packet I took with the Semisecure plugin actiavted. The username and password I used are the same as the example above.

Encrypted

Encrypted