If you’re a customer of iThemes you’re already aware that there has been an attack on their administrative systems. If you’re not aware of the iThemes hack, you need to be. Despite the increasingly routine nature of these attacks and the subsequent breathless reporting on them in the media, which serves mainly to desensitize viewers, IMO, it’s important to know that there are different types of hacks with varying results.
In this case, iThemes servers were compromised, which means the hackers gained entry into them. What’s not known at this point is how much, if any data was stolen. These situations have to be treated as a worst-case scenario so unless there is solid proof that data was not stolen, it has to be assumed that it was.
iThemes has been very open and transparent in responding to this event. To their credit, they have laid out the details for all to see. Some of those details are pretty ugly.
Specifically, the user database was located on the server that was breached. Even worse, the user IDs and passwords contained in that database were stored in clear text.
Oh. My. God.
Why Is This A Big Deal?
For those who may not know, “clear text” means that you or I can look at the data and read it. Passwords are typically stored in some encrypted fashion so that a human looking at them would see gibberish. A truly secure password system stores them in such a way that they are not, for all practical purposes, recoverable. In other words, even if someone did get their hands on them, they would not be able to de-crypt them without massive amounts of computer power and time.
WordPress passwords are stored in such a manner. The system can check to see if the password you entered is valid by taking your input and encrypting it using the same process as the original password then comparing the two results. It cannot take the encrypted password and make it legible because the encryption process is one-way.
How Did This Happen?
Why would iThemes have stored passwords in clear text? The explanation given is that the membership software they have been using since they started the company stores passwords that way. If they knew about that at the time, they’d obviously forgotten that fact until now. Having dealt with legacy systems for many years, I understand that scenario all too well.
What Can I Do About It?
So, lesson #1: for those of you using membership software or any other software that collects user data including passwords, check to make sure it’s storing those passwords in some encrypted form. If the membership plugin you’re using with WordPress uses the WordPress user database to store registrations, you’re good to go. As explained above, WordPress has a very secure process for storing passwords.
Some membership plugins store the data on their own and don’t use the WordPress user database. Such plugins need to be checked and the password storage method verified.
Lesson #2: if you are an iThemes customer and have used the same username and password on other sites, the odds just went up considerably that someone has your login credentials and could use them to access another site on which you’re registered. The bad guys will take the list of user IDs and passwords and add to their list of known log-in credentials. They will use that list with software bots that try to gain access to any sites they find that require a log-in.
We all get lazy and do it. If you’re using the same user ID and password on multiple sites STOP DOING THAT NOW! Yes, I know it’s inconvenient to have to remember multiple passwords. If you belong to a significant number of sites, it’s impossible to remember that many passwords.
The solution is to use a password management tool. My preference is Roboform. There are others out there that probably work equally well. The important thing is to pick one and use it. You can get info on Roboform here:
Roboform is free for the basic version. There is a limit on how many passwords you can store with the free version and there is no capability to sync the password database between multiple devices. The paid version lets you have unlimited passwords and will sync your password database across any number of devices.
Just a word of caution: I don’t know of any password managers that work well on mobile devices yet. Roboform does have a version for Android (and probably iOS), but it doesn’t work quite the same way as it does on a laptop or desktop. If you have a favorite password manager that works efficiently on mobile devices, feel free to leave a comment and let us know.
iThemes’ Handling Of The Situation
Finally, I just want to say that I admire iThemes’ handling of this situation. While the mistake is a really big one and there’s no good excuse for it, they are being open and honest about it and doing all they can to mitigate the consequences to their customers. Mistakes happen. The measure of character is how those mistakes are dealt with by those who made them.
Image credit: Brian Jackson – Fotolia.com