-3

If a hacker got a hold of your wordpress wp-config.php file and a dump of your database containing your hashed password? How hard would it take for them to easily cracked your password even if you are using a hard to guess password like "Th1siSmyP@$$"

kuchi
  • 105
  • 2
  • 6
    Just a tip: that password is not hard to guess by even semi-modern brute force search tools. All the common letter/symbol/number substitutions are quite well known. – alzee Jul 08 '16 at 18:44
  • I'd encourage you to edit the question, as I don't think it's well defined. What do you mean by "security risk"? What are you worried the hacker might get or do? – Jesse K Jul 08 '16 at 18:48
  • 4
    You're already owned. – Fiasco Labs Jul 08 '16 at 18:52
  • 2
    It is trivial, you are completely owned. Leet speak makes bad passwords. – rook Jul 08 '16 at 19:07
  • Dang!!! That is not my password but something close to that. I thought those were already hard to gues. Well then I guess Im wrong :( – kuchi Jul 08 '16 at 19:20

2 Answers2

6

That depends on their processing power. Cracking a password locally is much more efficient than remotely and doesn't require to avoid any detection.

Note that there is no point in asking such a question as your system is already compromised and the hacker already has access to your hosting space if they get access to the PHP script. At this point, your only valuable solution is to do a full reinstall of WordPress and change all the passwords (or at least the admins and editors).

Julie Pelletier
  • 1,919
  • 10
  • 18
  • 1
    Well there are some instances when a site backup including a backup of the db gets downloaded by a hacker. They dont yet have access to the server while the password is yet not cracked. Changing the password and keys are enough right? And yeah deleting the public facing site backup :) – kuchi Jul 08 '16 at 19:24
3

The above answer is very good, but just to add to it:

Once that database is run against offline dictionary attacks with special rule files, I would not be surprised that over 40-50% of the passwords in it would be cracked. Those rule files is what would perform substitutions in order to go from a word like "this" to "This" or "Th1s".

  • Make sure you do not reuse any of the passwords on that database, not only for Wordpress, but for any other sites.
  • I would also change all of your online site passwords immediately.
  • Reinstall everything (OS, wordpress, etc) with new passwords.
Zack
  • 486
  • 2
  • 6