Security Archives - Frank Corso

It feels like every week we see dozens of stories in the news concerning accounts that have been hacked. We have seen hacks including Kylie Jenner’s Snapchat, Ariana Grande’s Instagram, 1 billion Yahoo accounts, McDonald’s Twitter account, and much more. Many of these hacks could have been avoided had the user enabled two-factor authentication.

What Is Two Factor Authentication?

Two-factor authentication, sometimes called “2Fa”, “TFA”, and “Two-step”, is the process of allowing a user to log in or authenticate using a second form of authentication. This second form is usually something you have such as a phone or hardware key which I’ll go over shortly.

While two-factor is growing in usage, the idea behind it has actually been around for many years. In fact, when you try to make a purchase with your debit or credit card, occasionally sites will ask for the billing zip code as well. This would be an example of a second form of authentication. In the CNET’s Two-Factor Authentication FAQ, they jokingly list two-factor as being “Older than life itself.”.

Using two-factor authentication on any of the sites or apps that you use adds an additional layer of security to your account making it much more difficult for a hacker to successfully get into your account. With two-factor enabled, if a hacker were to get your username and password, it would not be enough for the hacker to get in. The hacker would need to have your second form of authentication as well.

Even though this is an extremely useful tool to use, many sites and services do not try hard enough to educate their users about this process. In fact, it is estimated that less than 10% of Google users have two-factor authentication turned on for their account.

The Different Methods

Two-factor authentication is normally used to describe three different methods for getting a second form of authentication: hardware keys, time-based 6 digit authentication codes, and SMS codes.

yubikey photo — Photo by Håkan Dahlström

Hardware Keys

The Verge refers to hardware keys as the “most secure form of two-factor”. Hardware keys are usually small items that you can carry with you which can be used to authenticate yourself. One of the most common versions is the Yubikey. Most hardware keys are small devices that can be inserted into the USB of your computer. After logging into your account, you would be prompted to insert the hardware key for the secondary authentication. Since keys now start at around $20, this is an affordable option. However, this will require you to carry this key with you to wherever you would be trying to log into your accounts.

6 Digit Auth Code

The most common form of TFA is the 6 digit authentication code. In most cases, you would have a secondary app or site that you use to generate these codes. Every time you log into a site, you would be asked for a 6 digit code. At that point, you can open an app to generate the code for you to enter. The most popular authenticator is Authy which has apps for iOS and Android as well as a Chrome extension. If you are using LastPass for your password manager, that service also has its own authenticator. Another alternative would be the Google Authenticator found in most app stores.

SMS

If there were a method for you to try to avoid, this would be it. While using two-factor authentication with SMS is much better than not having two-factor, the other two options are much more secure. If a hacker was trying to get into your accounts, they may be able to get access to your cell phone carrier. Once getting access, they could easily receive any SMS sent to you including ones that have codes to be used in two-factor authentication.

For example, there was a major hack recently because Telegram was sending SMS for verification which was intercepted by hackers. The National Institute of Standard and Technology (NIST) recently updated its Digital Identity Guidelines to remove their recommendation for using SMS for one-time passcodes. Of course, this is still better than nothing. So, if the only option for two-factor was SMS, I still recommend using it but would ask (or bug) the company’s support to plan on allowing for the 6 digit auth code method above.

Getting Started

To get started with two-factor, log into one of your accounts to see if that have an option for two-factor authentication. You can refer to https://twofactorauth.org/ to check which site has two-factor and then tweet or post to one who hasn’t added the option yet. In most sites, such as Google, Facebook, Twitter, and more, you can find the two-factor option in the account or security options. For example, you will find Facebook’s two-factor setting (pictured below) in the “Security and Login” section of the settings.

The next steps will depend on the site but it usually involves turning on the option and then entering in a code that you are sent through SMS or copied from your authenticator app depending on which method is available in that service.

If This Is So Important, Why Are So Few People Using It?

After reading about TFA, you may be wondering why more people are not using it. A study from the University of Phoenix found that 52% of adults were willing to overlook risks in cybersecurity for the sake of convenience. Since it is quicker to log into sites without using TFA, many users choose not to enable this. In another study by TeleSign, it was found that 72% of users want a secondary form of security but only 20% turned on TFA after a hack.

52% of adults are willing to overlook security risks for convenience. Using TFA should be a must! Click To Tweet

However, many users do not follow the best password practices. For example, nearly 71% of accounts had passwords that were the same as the user’s accounts on other sites. This is even higher in millennials who SecureAuth found that 92% reuse the same password. While it may be slightly inconvenient to use TFA, it should be something everyone considers. At least until something better comes along.

When it comes to securing your WordPress site, there are dozens of tasks and best practices to follow. However, one area that many people neglect to consider is the passwords. Today, I am going to give you 6 tips for keeping your site’s passwords secure.

Do not use words in your password

I was working with a user the other day and his password was his name followed by a number. It was something similar to Frank55. When a hacker is using a brute force attack, he or she will usually first go through every word in the dictionary and combine with various characters and numbers. This is referred to as a dictionary attack. By using words in your password, the hacker will be able to get into your site after running a quick dictionary attack script.

Do not use short passwords

When hackers are using a brute force attack, they are cycling through every possible password. When you use a 2 character password such as PW, the hacker only has to try roughly 2,500 possibilities which only takes less than a second using a script. When using a 6 character password such as aT4h*q, the hacker has to try roughly 15625000000 possibilities which takes a few seconds. When creating a password, you should have at least 15 to 20 characters in the password. For example: 3)S’Fb2rVa:?Sc-t@~D&. This creates 9.536743164×10³³ possibilities which will take much much longer.

Use multiple types of characters

When creating your password, never use all numbers or all letters. You should always have a variety of lower-case letters, upper-case letters, special characters, and numbers. For example, a strong password could look something like this: W4:5~Bkt9;KL:Rqt. Luckily, there are plugins to help when creating your passwords. The plugin I use on all of my sites and highly recommend is Strong Password Generator. This plugin will add a button to generate a strong password. This button will appear when creating users and when changing passwords.

Change passwords regularly

If your password is comprised, the hacker will not always use your password immediately. Also, the longer you have the password, the more people/services that you may have given it to. You should have all users change their passwords at least every 3 or 4 months. Fortunately, there are plugins that help with this. I personally use Expire Passwords which allows you to require users to change their passwords after the interval you set. I usually require user to change their passwords every 90 days. This includes all admins and myself as well.

Do not give your password out

I see this one quite a bit. Your password should only be used by you in most cases. The more people that you have using your password, the more chances of it being comprised. Also, the way you give your password to people can also be comprised. Never send your password to someone through email or IM. If you have someone that needs access to your site, such as a developer, always create a temporary developer account for them. Once they are finished, delete the temporary user. Never give them your password.

Use different passwords for each site and service

I see this quite a bit. It may be convenient to have the same password for your website, your bank account, your email account, and your IM account so you don’t have to remember multiple passwords. However, if one gets comprised, the hacker will immediately look for other accounts you have to see if the password works there also. Always use a unique password for every account you have.

Do you have any best practices or tips for password security that you follow? Be sure to comment below!