During a recent security assessment RedZone asked the customer a standard question about password management:
“Are your passwords being changed on this outsourced web server?”
With Heartbleed, WordPress, and SSL vulnerabilities, an assessor must ask this question. The customer was insistent that the passwords are being changed frequently. That same day the customer received notification from the FBI that their site was hacked, and was being used as spam relay. Vast quantities of data were being hoisted from their site. Why? Because they had not recently changed their passwords. They had made the process of guessing the password easy. The attacker literally had to do nothing except guess a password.