Just found out earlier today that some of the WordPress.com servers were hacked. Matt Mullenweg revealed the incident and posted a warning about passwords via the WordPress.com blog. Although the hacks were low-level, there’s a possibility that all or any of the information kept on those servers could’ve been revealed.

Matt Mullenweg has this to say about the incident:

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Even though WordPress passwords are hard to crack because they use phpass – a Portable PHP password hashing (password encryption) framework, it’s still a good idea to update your password after an event like this. Additional advise for WordPress.com users – use strong passwords (at least 8 characters – using combinations of letters, numbers and characters), use different passwords for different sites and never use the same password for two different sites.

Please take note that the ones affected by this hacking incident are blogs hosted on WordPress.com not WordPress.org (self-hosted blogs). However, if you run a self-hosted blog but also have a WordPress.com account, make sure that you don’t use the same password for both sites.

Aside from negligence, the reason why some people’s email accounts or social network accounts gets easily hacked is because they use weak passwords. A good example of a weak password would be “password” which is #1 in the list of most commonly used passwords online. So what is a strong password? Strong passwords are relatively long (at least 8 characters) and uses a combination of lower and upper case letters, digits and symbols.

If you’re having a hard time creating or thinking of a strong password,
here are some tools that can help you:

Websites:

• PassPub
• Strong Password Generator
• PC Tools Password Generator

Offline Programs:

• PassBuilder
• PWGen

Firefox Add-ons:

• SecurePassword Generator
• Magic Password Generator

Now that you have a strong password, please keep it and guard it with your life. That might be a little exaggerated but I know you get my point. I hope that after you read this post, you won’t be too lazy or negligent with your passwords and that you’ll practice safe computing from now on.

So how secure is your password? What are your methods of choosing or creating passwords? Do you know of other reliable password generators? Do you have any experiences of having your accounts hacked? Please share it with us.

Btw, do you know that Windows XP has a secret password generator? If you wanna know how to use it, you’ll have to come back next time coz there’s not much time left to talk about it here. So stay tuned!

Several days ago, I got 500 Internal Server errors while trying to access my blog and WordPress admin panel so I immediately I sent a ticket to Dreamhost’s support staff. Right after that, I accessed Dreamhost’s status page to check if there were known issues or problems with the servers or hosting in general. In a recent post, I read one person mention something about a FTP password security breach in Dreamhost. I totally forgot about it and I didn’t get to find out what it was all about.

Then earlier today, I received this email from Dreamhost:

A very small subset of our user accounts have been compromised due to a security flaw in our web control panel software. We have already notified those of you affected directly via email, aside from dedicated server customers who are being notified right now. If you are not on a dedicated server and you have not gotten an email from us your account has not been compromised and is likely safe. It’s still a good idea to change your ftp and web control panel password as a precautionary measure.

The security flaw allowed the attackers to log into our web panel with the access privileges of another user. From our web panel they were able to access individual user password information. The attackers also attempted to gain access to our central database and billing information but were ultimately thwarted in that attempt. No credit card information or customer personal information was obtained.

After reading this, I went and tried to do a Google search on this incident. I found out that about 3,500 separate FTP account passwords were leaked and used by hackers in an effort to gain access to the database and billing information of Dreamhost.

Right that moment, I logged on to my Dreamhost web panel and changed all my passwords. Then I checked my folders and files to see if there were any changes made and also checked if there were files uploaded without my knowledge.

I know of some Dreamhost clients who left and moved to a different web host after this incident. Me? I think I’ll stay for now but it does make me think of looking for a better web host just in case I need to move.