Content Management System Security: The Case for Doing Away With Passwords

 

Secure access to accounts of any kind has almost always revolved around the entry of a password. Even ATMs require a PIN number which is a kind of password. Therefore it comes as no surprise that secure access to online accounts including the administration area of content management systems is password based. However, there are two general reasons why password access to content management system admin areas is unsecure:

People Do Not Make Effective Use of Them

People have a limited capacity for remembering strong passwords. Easily remembered passwords tend to be real words with perhaps a number or two embedded for good measure. This means they are easily broken by password guessing algorithms. Another problem is the even greater limitation of the human brain for remembering multiple strong passwords.

Although there are effective mnemonic techniques that assist human memory, using them for remembering passwords to multiple accounts requires a great effort. The effort is yet more arduous when circumstances require changing some of these passwords. Another problem is that one must correctly associate each password with the correct account which is yet another memory task.

Password management tools are available that automatically log into accounts. Those who are sufficiently concerned about security do make use of them. However, it seems these people are a minority because most people are content to use one easily remembered password for all of their accounts. This means that when a hacker acquires this password after breaking into one account, he has access to all of his victim’s accounts.

Hackers Are Getting Better at Acquiring and Guessing Passwords

Popular open source content management systems such as WordPress are a favorite target of hackers. The URLs and layout of these content management systems have a fixed structure. When a hacker knows the URL of a WordPress site, he also knows the URL of its login page and the number and order of the login fields.

A common method of hacking into WordPress is through the use of password guessing algorithms. Since most usernames are the default name “admin”, the hacking problem is simplified to guessing the password. These algorithms often use dictionaries and extensive lists of commonly used passwords. Sometimes they use pure brute force guessing where every possible combination is methodically tried. Although various security plugins exist for deterring password guessing, their effectiveness diminishes as hackers devise ways to defeat them.

The Solution: A Passwordless Login Page

When people think of passwordless authentication, things such as fingerprint scanning, iris scanning, or voice recognition come to mind. However, a much simpler process has been in use for a very long time for a different purpose: the resetting of forgotten or lost passwords. When you forget or lose your password, you click a link that takes you to a page that asks for your user name or email address. After supplying the information, an email is sent to you with a link that brings you to a page where you can reset your password.

The passwordless login page follows the same procedure except that the email sent to you contains a link giving you direct access to your content management system admin area. At this point, you have logged in without using a password. The email link granting this access then times out after a short period of time, at which point it is no longer valid.

If all of your accounts used this passwordless login process, your email account password is the only one you would have to remember. If a hacker acquires this password, he has access to all of your other accounts. However, your exposure is greatly diminished because you have only one password protected login page to worry about instead of tens or hundreds. An alternative to sending an email might be a text message to your mobile device. If your mobile device is stolen and its password is broken, then all of your accounts would also be at risk. However, your overall security exposure is greatly reduced.

The passwordless process described here is by no means the only one. For example, Clef shows a kind of dynamic QR code on your login page which is seen on your computer screen. Authentication occurs when you aim the camera of your mobile device at the QR code on your computer. More details are given here.

For questions about web hosting and how we can help your business, please contact us.

Photo Source / Desaturated from original

Posted in:
About the Author

Jess Coburn

It's Jess's responsibility as CEO and Founder of Applied Innovations to set the direction of Applied Innovations services to ensure that as a company we're consistently meeting the needs of our customers to help drive their success. In his spare time, Jess enjoys many of the things that made him a geek to begin with. That includes sexy new hardware, learning new technology and even a videogame or two! When you can’t find him at the office (which admittedly is rare), you’ll likely find him at the grill or in front of his smoker getting ready for some lip-smacking ribs to enjoy with his wife and two kids.