Tagged: 2FA

It’s Time to Get Rid of “Security” Questions

Since 2009 or so, I’ve been using and preaching about using a password manager to generate and track all of your usernames and passwords. Until some other system comes along, the only way to safeguard your user accounts is to use a complex and unique password for every one of your accounts. If hackers steals a site’s user database and can decipher your credentials for that site, they can use those credentials to log in to other sites where you use the same password. But with a password manager, it’s easy to create strong and unique passwords for each site. And should hackers ever breach a site you use, you only need to change the password for that site because all your other accounts use a different password.

Yahoo Hacked… Again

Yesterday, Yahoo revealed that in 2013 hackers stole user information for about one-billion Yahoo accounts. By the way, this is a separate theft from the one the company disclosed earlier this year where thieves stole information from 500 million users in 2014.

The stolen user information includes (emphases are mine):

  • name
  • email addresses
  • telephone number
  • date of birth
  • hashed passwords
  • security questions and answers

Ordinarily, I would just change my password for any Yahoo account I have. The password manager would generate and store a new unique and complex password, and it would alert me if I had other accounts on Yahoo that needed the same treatment. It turns out I have two Yahoo accounts, although I haven’t used one of them since the 2008 or so.

Because so many people use the same password for multiple sites, it’s fairly common for sites that store usernames and passwords to hash (or encode) the passwords so that thieves can’t read them and use them to log in to your accounts. Apparently, Yahoo has done this but used a hashing technique that is cryptographically broken.

“Security” Questions Aren’t Secure

However, what seems even more troubling to me is that Yahoo might not have hashed the security questions and answers that act as workarounds to access your account when you forget your password. These “security questions” are a very primitive way of verifying a user. Twenty or so years ago, when you phoned your bank, they would verify your identity using your mother’s maiden name or your date of birth. But today that seems quaint because it’s not really secure: a close friend or relative easily knows that information.

Nonetheless, many websites have used similar security questions to “safeguard” your account:

  • where were you born?
  • what is the name of your favorite teacher?
  • what is the make of your first car?
  • what is your high school’s mascot?
  • what was the name of first street you lived on?
  • what was your first job?

With a little detective work, someone can learn all these bits of “secure” information about you.1 As a way to strengthen this system, I use fake answers for these security questions: some are random bits of text or some are just random names. I record these in a password manager.

However, since Yahoo didn’t appear to hash those security questions and answers, instead storing them as plain text, these could be used to reset your passwords on your accounts.

Time for Two-Factor Security

If I learned something from this breach, it’s that the time has come to get rid of security questions and instead force users to use two-factor authentication.2 This requires you to enter your password and a temporary code that is either generated by an app on your mobile device or sent to you by text message.3 This provides a small safeguard because if hackers learn your credentials, they still need a code to access your account.

It’s certainly more secure than the name of your childhood pet.

  1. Some sites force you to choose from a list of answers. For example, United Mileage Plus asks “What is Your Favorite Sea Animal?” and offers about forty choices. United chose this method because it would prevent a hacker from logging your keystrokes and users from revealing their password in a security question. Some users need to be saved from themselves. 
  2. Last year, Google found that security questions weren’t actually secure and encouraged users to use a second factor to authenticate. They are phasing them out. 
  3. Once you activate two-factor on your Apple account, you no longer authenticate with security questions. Good riddance! 

Did Google Authenticator Lock You Out of Your WordPress.org Account?

I can’t remember when I turned on two-step authentication for my Google accounts, but I’ve adopted it for every other account that supports it, including Twitter, Facebook, Dropbox, and WordPress. For those who are not familiar with two-step authentication, it is an extra layer of security that requires you to provide two keys: something you know and something you have in your possession. Accessing a protected account requires two steps, hence the name: entering your account password (something you know) and entering a random code from your phone (something you have).

Google Updates Authenticator

A popular and widely supported iPhone app for generating these codes is Google Authenticator. Earlier this week, Google updated Authenticator, which was a surprise to me. It hadn’t been updated in over a year and had an annoying bug that prevented you from editing your existing accounts. I feared Google had abandoned it because it also didn’t support the nearly-year-old 1136 x 640 iPhone 5 display.

https://twitter.com/juanomatic/status/375124214073663488

Google Breaks Authenticator

As welcomed as the update was for me, it turned out to be a hot mess. When I updated the app, it deleted all of my existing accounts. Without those codes, I could not access them because I need both the account password and the Authenticator code to log in to those protected accounts. Once the app was wiped, I couldn’t get any of those precious codes.

https://twitter.com/juanomatic/status/375267576844414976

Fortunately, for me, it was more of an inconvenience than a disaster because I accessed my accounts using the emergency backup codes that I had safely stashed away.

WordPress and Google Authenticator Plug-In

There was however one account that doesn’t have emergency codes. It is the Google Authenticator plugin that adds two-step authentication for this self-hosted WordPress site. I’m unsure if you can add this plugin to hosted WordPress.com sites, but I suspect you cannot since there’s no plugin area for those hosted blogs.

To regain access to a self-hosted WordPress account that has been locked due to two-factor authentication, it requires you to have SFTP or SSH access to your web hosting account.

  1. Log in to your SSH or SFTP account.
  2. Navigate to the wp-content directory.
  3. Create a directory called disabled or something else that won’t interfere with WordPress. This will be a temporary measure.
  4. Navigate to the wp-content/plugins directory.
  5. Rename (or move) the google-authenticator directory to the wp-content/disabled directory. Type something like…
    mv google-authenticator ../disabled
  6. On your web browser, load your wp-admin page. You’ll see that you will not be prompted for a Google Authenticator code.
  7. Using SSH or SFTP, move the google-authenticator directory back to the plugins directory. If you are still in the plugins folder, type something like…
    mv ../disabled/google-authenticator .
  8. Delete the disabled directory.
    rm -rf disabled
  9. With your web browser, go to your Dashboard and then to the Plugins area. Reactivate the Google Authenticator plugin.
  10. On your Profile page, scan the barcode to add this WordPress account to your Google Authenticator app.

Or you could stop at step five, delete the plugin, and be done with two-step authentication altogether.