I realized the other day that I had accidentally violated my own strict security practices.
As a WordPress security consultant, I’m hyper-vigilant about making sure that my assets, as well as those of my clients, are fully secure. It doesn’t matter what the system – websites, IT infrastructure, firewalls, social media accounts, or anything else – they’re constantly being probed 24×7 for weaknesses and vulnerabilities.
The bad guys want in.
I received an odd email a few days ago that appeared to come from LinkedIn. It came at 4:56 a.m. (I was in bed still) and the subject line read, “Thomas, here is your link to sign in to LinkedIn” with a button “Sign in as Thomas”. It said someone was attempting to log into my account from Bardstown, Kentucky (I live in California).
No, I didn’t click the button or the link to “change your password”.
I wasn’t too worried, because I have two-factor authentication (2FA – also called multi-factor authentication or MFA) turned on everywhere. But it was strange. So, I immediately got onto my computer and changed my password on LinkedIn using a random many-character password generated by LastPass. I checked the box that said, “Force all other logged-in devices to log in again with the new password.”
But then I noticed that 2FA was NOT turned on in my account!
Ugh.
I always make sure 2FA is on for any online account I have – banking, credit cards, social media, etc. The last thing I want is for someone to take over any account that I have and do damage or worse.
Last year, my 92-year-old mother’s email account got hacked, even though it had a strong, random password. Someone managed to brute force it, and got in, sending emails to all her friends (including me) that she needed money or something stupid.
Bastards.
I logged into her account, reset the password, and set up 2FA right away.
Why Passwords are Weak
We’ve been using a user ID and password combination to log into systems for what seems forever. Many times, your user ID is your email address. Way back in the day, I had a favorite user ID and favorite password that I used over and over again. It was easy, and I didn’t have to think about it. I figured it was “good enough”.
One study showed that 13% of Americans use the same password for every account, and 52% reuse the same password for some of their accounts.
According to Norton, 24 billion passwords were exposed by hackers in 2022. Reusing a password just means you’re vulnerable on multiple platforms. According to them, “over 80% of confirmed breaches are related to stolen, weak, or reused passwords.”
I started using a password management system called LastPass several years ago. It was mostly out of desperation more than being security conscious. I just had too many damn passwords to keep track of, and I was forever resetting passwords that I couldn’t remember.
Over time, I started letting LastPass generate new, random passwords for me and replace the weak passwords that I’d reused. LastPass even flags it if I reuse a password.
But so many systems get hacked each year – including LastPass – and with those billions of compromised user IDs, people leave themselves open to getting breached in the simplest way possible.
You can even check to see if your favorite password is in the wild here. It likely has.
Watch how easy it was for Donie O’Sullivan, a CNN reporter, to get his password hacked.
Why Is Two-Factor Authentication Important?
Two-factor authentication requires a second bit of information after successfully logging in with a user ID and password. The system may email or text a six-digit (or longer) code to the account owner or require using an app like Google Authenticator or LastPass Authenticator, which generates a random six-digit number every 30 or 60 seconds.
The assumption is that only the account owner can produce the second login factor, so it makes it very difficult for someone to get in with only a password.
That’s why I was horrified when I realized that I hadn’t turned on 2FA on my LinkedIn account!
If someone truly had managed to guess my LI password, they would have been able to get in without any further verification.
Yikes.
Passwordless Logins
More recently, I’ve been seeing the option of having a passwordless login. It comes in one of a couple of forms:
- Using a “Magic Link” that emails a special link with a one-time token to the account owner’s email account.
- Using a passkey.
With the first option, the theory is that only the account owner could use it because they should be the only one with access to the email account. But of course, if the account owner hasn’t secured their email with a strong password and 2FA, it’s possible that someone could use that to breach whatever system.
Using a passkey is a bit more involved. According to Google, “A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.”
That sounds pretty good, but not many systems use passkeys yet.
With Windows computers, the passkey is tied to the PC owner’s Windows account on that computer, and if they change computers, the passkey isn’t available.
Fortunately, on Macs, passkeys are stored in the keychain, which syncs across all devices, making it easier to switch computers.
What I’m unclear about though, is that on my Windows 11 computer, all it takes is a 6-digit PIN to log in. In theory, if my PC were stolen, all that stands between my computer and someone having access to my systems is a simple 6-digit PIN which is VERY insecure. I haven’t found an answer to this yet.
On my Mac, I’ve got a very strong password that must be entered to log in (no PINs), and my iCloud password is annoying long at more than 20 random characters and has 2FA enabled, so it’s highly unlikely that someone could crack that.
However, just to be safe, where I do use a passkey, I still have 2FA turned on.
The Future of Security
On the horizon are biometrics including facial, fingerprint, and voice recognition technology to validate that the person trying to access the system is who they say they are.
Certainly, this is in its infancy for day-to-day systems. It seems to me though this could be fraught with issues:
It’s been shown that iPhones (that use facial recognition to unlock) have trouble distinguishing between identical twins. What happens if you’re asleep or unconscious from too much New Year’s cheer, and someone holds your phone to your face? They’re in with no further authentication needed. Further, what happens if someone has to have facial surgery due to an accident or elective procedures?
A recent study shows that fingerprints aren’t as unique as we once thought they were. Again, the question comes up for me, what if a digit is lost or damaged in an accident?
Not knowing how voice recognition works exactly, a similar question is if someone is sick or has laryngitis, what happens then? With AI now, it’s easy to replicate someone’s voice and get it to say anything, which theoretically, would leave us completely vulnerable.
We’re Not There Yet
System security is top-of-mind for me when I’m building a website for a client or managing someone’s website. It’s so easy to get the user IDs on a WordPress website, and with that information, if I were a hacker (which I’m not), it wouldn’t take much effort to break into most websites.
Over 90% of all website hacks happen on WordPress because they haven’t been properly hardened. Just throwing a plugin at it is not enough. I’ve UNhacked many websites that had a common “security” plugin installed, and despite their marketing and hype, it did nothing to prevent the hack.
Unfortunately, we’re a long way from having a bullet-proof system that only lets the real person in and keeps the bad guys out.
But we’ve come a long way too – if only people would use technology like password managers to generate random passwords on all systems and 2FA to make it that much more difficult for the bad guys to get in. Just remember, no matter who you are, someone wants into your systems.
If you have a WordPress website, let’s talk, because it’s likely that you’re very vulnerable to being hacked.