Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
Your super secret favourite phrase is worth crap once leaked alongside your email address.
Further don’t choose Microsoft for your Auth app, Go with an open source option, maybe one that encrypts and syncs so you have multiple devices just in case.
This is only ever a problem if your password is reused. Don't reuse passwords and if some website is hacked and they were storing your password in plaintext you just have to reset your password (the same way everyone else does, 2FA or not)
That is the context of the reply, although I think they misread the article.
Anyone else here had friends have their say Instagram account hacked, none ever have MFA on and it causes great distress.
MFA IS a good idea for multiple reasons.
- if you use 1password (an example), then you're generating a bunch of random and unique passwords for every site - questions to verify you as a 2fa tends to be less secure since you tend to make simple answers for those. And they're not convenient to enter into 2fa apps. - 2fa apps are typically great ways to guarantee one bit of randomness into the process
I probably do not understand how Bitwarden works, but this feels wrong anyway.
Bitwarden is open-source enough to where all functionality can be self-hosted and run on one's own and reviewed. IIRC, there are a couple of non-floss modules for the commercial release in different directories under source control iirc... Some are more purist than others.
That’s pretty much like handing you car keys to a random person on the street and be confident they will take it to the bank and put it in a locker.
The https://haveibeenpwned.com/ project regularly shares new breached datasets. Reusing passwords across websites without MFA is just not not not recommended in 2025.
1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
2) Nobody is going to bruteforce your password. We don't use md5 anymore. You password will get stolen. By phishing, malware, social engineering, password reuse etc.
Lot of websites you'll visit once per decade (maybe) still ask for account. Or things like the software you get to manage your gaming peripherals which nowadays all ask for an account for no reason.
Those accounts getting hacked? I don't care. So they all get a shitty birthday password if they accept it. If they prefer to use some stupid "X uppercase, Y lowercase, Z numbers, some special characters" I'll make a new account next time because I'm not using a real email. Or just stop there.
Same thing, I create a random account with random creds each time I want to use it. And there will be zero impact for me if it leaks...
Security is a bit like traffic. If you're alone in the world, you do you. But you are not alone, you have a responsibility to others, be it passers by, fellow travellers or those loved ones depending on you making it back alive.
Frankly, in a lot of these cases the site owner (e.g. Razer) has already decided to put their interest ahead of mine by requiring accounts to e.g. configure peripherals locally so they have can harvest sign ups for their marketing lists or tell investors they have XXX MAUs. I don't care if my password choice inconveniences them in turn.
Why should that be my problem? It reeks of the same bait-and-switch that banks are doing, with calling failures of their lax KYC/security process "identity theft", calling themselves the victim, and making the actual victim responsible for it.
Now it's called "identity theft" and they've convinced many of us it's our problem. So much that people pay the banks to buy "identity theft protection"!
For instance this requires an account
They can be okay for throw-away accounts, it just depends on the circumstance.
> Nobody is going to bruteforce your password.
I can assure that there are still people brute forcing passwords. I see it happening all the time, especially for SSH accounts. While you are correct that phishing and password reuse are problems, they are also not totally solved by using 2FA.
This accidental confusion between TOTP and OTP is by itself an argument against complex alternatives to login+password.
No one can crack your super-strong multilingual password. But if a service accidentally leaks it, then it doesn't matter.
Credential Stuffing is how 23andMe were hacked. People reused password, they were leaked from another service, attackers tried them on a variety of sites until they hit the jackpot.
Unique passwords prevent that attack. Can't remember a thousand different passwords? Use a manager.
Don't want to use a manager? Switch on 2FA. Weak passwords and password reuse ceases to be a problem.
Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
- Lots of flaky 2FA implementations out there where it's easy to get in without it, if you have the password
- If a service doesn't offer 2FA you are now unable to use it for fear of sharing your password (like this website)
I suppose logically if your email is 2FA, then someone can't do 'forgot password', but man that feels super flaky.
I would not want this for my google account or the like.
(Logging into Reddit with a Google account bypasses any and all forms of 2FA auth.)
In addition to making the login process more complicated 2FA can also introduce privacy concerns. A third party authenticator app can collect all kinds of data for it's own reasons (For example MS's app will request location and camera permissions) and that 3rd party could also track which services you log into, when you access them, and how often you access them.
2FA can also cause you to be locked out of our accounts, either temporarily or forever.
Microsoft Authenticator can be configured by an admin to provide geo-blocking for attempts, so once again not just some arbitrary demand. It's a selling point of the product.
I'm not familiar with with iOS to know if something similar to this exists for it, but I'd honestly be more surprised if there _isn't_.
That said, I prefer simple/general TOTP implementations that I can just use with my password manager for my own convenience. But the permissions being asked for are completely reasonable for the actual use of these applications.
You don't need a phone for this. You can put the secret key into your password manager and it can generate the TOTP code whenever you need it. KeepassXC and 1Password support it.
It stretches the definition of "two-factor" but I don't care; like the author I'm more concerned about phone theft and losing access to everything.
I always considered the time aspect to be the more important "factor" of TOTP in practice. E.g., if somebody managed to peek over your shoulder or film you while typing in your password. With TOTP, they have under a minute to capitalize on that information. I still have that base covered with my password manager handling the secret key, so I never saw the appeal of tying TOTP to a phone.
What's worse, the most common scheme, SMS-based authentication can lead to denial of service, e.g. you are roaming and do not have access to texts, or have your account SIM-jacked as this seems to be very popular way to steal people's cryptocurrencies.
Unfortunately, the industry has mangled the implementation, making them basically useless.
When they do work smoothly they aren’t useless though.
Anything Apple related is another story...
There's some good movement in the linux desktop space I'm excited about: https://github.com/linux-credentials/linux-webauthn-platform...
Google Android may be good, but Chrome is not doing right yet. Chrome still tries to get you to use itself i stead of delegating to the platform selection box.
On iOS I can even see a list of password & passkey providers, so I can ensure that the Apple one is toggled off (as well as MS Authenticator which can also provide those it seems)
I truly despise this. It effectively disenfranchises people for living outside of areas with good mobile coverage. Banks or utility payments or parking meters(!) or whatever should not be gated behind cellphone reception. Nevermind people who can't use a phone at all ...
I tried buying an sms number from twilio so that I could receive 2fa while out of the country but my bank (PNC) would not accept any phone number unless it was from one of the 4 major carriers in the US!
My credit card (capital one) seems to have a phone number on file from Mastercard. If I change my phone number in capital one, whenever I get into the Mastercard extra verification, it does not use the updated number. I have no idea how to get Mastercard to update it. I just ended up using a different credit card!
The great thing about Google Voice is that since Google doesn't believe in humans providing customer service (or more generally in providing customer service, period), there are no gullible CSRs that can be conned or bribed into SIM-swapping you unlike the mobile carriers.
Always use an authenticator app or physical key, most sites that do SMS 2FA will then allow hackers to use it to bypass knowing your password.
Because security is not just confidentiality, it's also availability: the "Security CIA Triad" is Confidentiality, Integrity, and Availability.
If I can lose access (availability) to my online account by losing some physical item (e.g. lost cell phone), or if some third party can prevent me from accessing my 2FA (e.g. banned from my email provider by DMCA takedown request), then I have my availability, and hence overall security is at risk.
Additionally, requiring a phone number for online services means that the confidentiality of my identity is reduced. It becomes impossible to be anonymous. For instance, you can't use Signal messenger without a phone number, so there's a chance your identity can be leaked.
This felt like the author bending over backwards to justify their choice. They find 2FA less convenient and conflate it with being less secure. It’s not the same thing.
It’s OK to say “not all my accounts are equally important and I need to access some of them in situations where 2FA and complex passwords aren’t worth it”. It’s not OK to sell the idea that 2FA does not generally offer security.
This reminded me of the “SEO expert” a few years back which was trying to convince everyone, with wrong information, to not use HTTPS (which, I realise only after writing this, the author’s website also doesn’t use).
The problem is in general people are really bad at assessing risk. You tend to see extremes.
I don't think this definition is very helpful though. So I prefer the one where the entities that need to have access still can access.
Because it’s a straw man, and straw men aren’t helpful for discussion. No one is suggesting making data wholly inaccessible.
Data that you cannot access “at any time and in any circumstances” (author’s words) can still be secure. A fairer analogy would have been storing disks in a locked safe in your home. It’s not as convenient to access it, but it is secure. Should you do that for all your data? No, but neither have I advocated for that. I very clearly stated that I think it’s OK to have different levels of protection for different types of data.
BTW what's the sentiment on passkeys?
https://github.com/keepassxreboot/keepassxc/issues/10407
There have been some discussions to create an export standard since then but I remain skeptical. Why was this not part of the original spec but the ban hammer was? Depending upon how this standard is implemented I can easily see it preventing export to anything but Google, Microsoft and Apple's implementations. And it still leaves the attestation badness in place.
AFAIU the attestation referred to here won’t be signed so any implementation can say anything. It’s just supposed to be ise for things like showing the user a logo so they know where their passkey is stored.
But yeah, anything resembling a phone passkey seems to have a sync fabric behind it.
I've been thinking that they allow you to have long, non-memorisable unique passwords for an account (1), and then add passkeys on the devices you use often. The long, non-memorisable password isn't inconvenient because you don't need to use it, and the passkeys which are used day to day are resistant to phishing & keyloggers (as I understand).
However, I don't know if that is how they're being used or marketed.
1) Perhaps even 2FA too, which wouldn't be as inconvenient if it's only used rarely. Given the points raised in this article, I'm rethinking whether that is necessary.
This is quite reasonable.
- Useless passwords for useless websites that needlessly require accounts. - Autogenerated passwords for websites of infrequent use that you don't need to trust much. - Memorized passwords for logins of high importance that you need to trust.
Since we only have so much capacity to memorize a password, the idea of reusing a password for the few high importance logins you have can be quite reasonable.
By always using the PW manager I have a clear and standard route of registering accounts that is not a lot more work, is way more safe by default, and also can save time if at some point in 2 years you want to log in again, because of some random event. Sure, email reset would be possible, but that takes time again.
Another counter-argument against the article in general, at least in my opinion: while 2FA adds a time consuming step to the login, it happens rarely. I use a lot of services and usually always enable 2FA if it has even a single bit of personal or critical data. But as soon as I'm logged in, the access tokens or refresh tokens are valid for such a long time that I rarely have to do the 2FA challenge again.
It is a giant pain. I can understand why people wouldn't want to go through it.
As far as I can tell, there are SaaS ones, broken ones, no longer maintained ones, and the ones that don't work on multiple platforms. There's not one password manager I've heard of that didn't exhibit one or more of the above "features".
"Perfect is the enemy of good", but the effort around making informed choice makes not using password managers seem better.
I've used it for years with no complaints, it's wonderful.
Yes, you pay, but I see that as acceptable and expected for the service offered.
1-2 clicks here, a couple there, and a click heavy UI. Welcome to the clickodrome, where your patience is tested to its limits.
Why do people click on everything without reading? Because you trained them to.
A password manager with randomly generated passwords and 2FA is the only sane response to millions of automated attacks.
2FA makes my workflow significantly more difficult. As a result, for non-critical sites, I have started allowing the browser to store my passwords, thus relying on the 2FA-authenticator for security. This result is likely less secure overall, since the browser's password storage could realistically be compromised.
That said, I do have to acknowledge the point in another comment that phishing may be the bigger threat. Log into a fake site with a password but no 2FA, and you are toast.
Also SID are ephemeral and expire, while passwords are not supposed to be.
Session IDs may be tied by the backend to a client IP address, or some such, but likely that's not done very often, and may not be that useful.
And I think that's the most probable reason 2FA is _required_ today on most online services.
How do you teach your beloved ones to access your accounts. And they need to remember what to do. For some accounts may it doesn't matter. For others that means to be able to end the subscription. Because not all subscriptions are associated with a credit card, which just expires.
But if you allow to contact a company by a third party to cancel and or change things then this becomes the go to for social engineering.
I hope most people use a password manager.
(and recently discussed on HN: https://news.ycombinator.com/item?id=42991112)
I did the math years ago and even back then, thousands of users would pass daily and now with most of the world population on FB it probably comes in handy.
>One of the passwords that I know by heart is a famous classic quote clumsily translated in a mix of French and Dutch. It is long, it can not be brute-forced because of its length and I am pretty sure it is not present in any of the rainbow tables. I never spell it out, let alone write it down, but it is in my muscle memory as I haven't changed it for years.
One keylogger OR phishing attempt and his super complex and secure password is ruined. with no 2FA to protect him.
If the 2fa was a yubikey or some other unique made-for-purpose device, the accounts wouldn't need to be recovered, but TFA is talking about microsoft authenticator so it could very well be on the compromised device.
The most irritating thing about security is people treating it as one dimensional: more or less secure. 2FA changes security in a complex way.
Session cookies are a problem, some services provide a way to invalidate all session cookies, but it's often buried deeply in settings and users aren't aware to find the button after a compromise.
Security is important, but not the be-all, end-all. People really should get their priorities and threat models straight, and start counting in denial of service and data loss due to security system being incompatible with human beings as a cost.
You're thinking of something other than salting. A salt isn't secret. The point is to make sure that the same password on two services, or on two users of the same service, doesn't have the same hash each time.
I typically do this as a safe guard in case the device that is running the TOTP app breaks or fails in some way.
I'm old enough and my passwords are random enough that I don't worry about them being guessed. However, I do worry about web security in general and the fact that companies are basically black boxes with loads of young inexperienced developers. They may be storing our passwords as plaintext strings and have them in a public S3 bucket. But, if you want one of my YubiKeys, you'd have to find me and physically steal it from me and hope I don't notice.
So there are some useful things with regard to 2FA.
1: you as a user might want to protect your account
2: A website provider wants to secure their own business
If it's about 1, then the argument "I don't reuse passwords" hold some water. It doesn't protect you from somebody getting access to a plaintext copy of your requests (for example on the load balancer that terminates the TLS), but that's only a small part of potential attack surfaces.
But from the perspective the website owner, they might suspect that many of their users reuse passwords between sites. 2FA is a great defense against that, and also against brute force attempts.
Something you have.
Something you know.
Something you are.
Pick two.
NEW: Dismiss anything that is a hybridization. That is 1.5FA
It's 2025. 0-days are rampant. If you're not at 2.0FA, you're at a high risk of getting popped.
Why is he mixing stuff he shouldn't? I didn't find a reasonable explanation why 2FA makes things less secure. Not being able to access your account is more secure and not less secure.
This article has to do with having a backup plan to access your account and not with security. Or maybe "security" as in "peace of mind".
As for Microsoft Authenticator, the data is being backed up and can be restored. Except Microsoft accounts, they require reconfiguration and... is useless to have it backed up and gives false sense of "security" (peace of mind).
You are right though that this isbabouy having a backup plan. For example, the TOTP app I use supports exporting the logins into a file, which van be saved elsewhere.
Backup TOTP are put in .txt files for each service and in a folder encrypted by Cryptomator (using a unique pw not used by any other services, esp. 1password). This encrypted folder is put on flash drive on my keychain and synced into my google drive folder.
This feels to me like a pretty good balance between convenience and security. Not 100% of my eggs are in one basket, but it's true that my 1password account password needs to be long and well-guarded and never re-used for anything else. Also putting a lot of trust into 1password to not get breached...
I do something similar but instead use KeePassXC to securely store copies of totp secrets.
SSH... no, they can't.
Gmail... yes, you're basically giving your password in plaintext to someone on the internet.
I dislike 2FA for similar reasons, but I would rigorously segregate remembered passwords between those shared with some service, and those used locally.
Is it though? Wouldn’t that be some kind of safety thing? I think having no way to access the data would be ultimate security, that’s why there’s always a tradeoff between security and usability.
Edit: see e.g. https://en.wikipedia.org/wiki/Information_security
And some of us don't have reliable muscle memory... Having our SSH password suddenly vanish would be undesirable.
Disclaimer: I'm not a sith or a security zealot.
This is even more important.
Would people rather that no-one can MITM and see which articles they read on the site? Or is it about conditioning people do demand HTTPS so that it's there when they need it?
BTW: I feel I might be missing the real issues or unintentionally straw-manned them.
I also agree sms 2fa is just broken/garbage.
>
> Now, my Github access depends on the second factor, which I have chosen to be Microsoft Authenticator running on my phone. I genuinely do not know what will happen if my phone breaks down, so I downloaded TOTP codes from Github and even tried one to see if it works, and so far it does, but now I have one less TOTP code to use in case something happens. Moreover, since Github is now a special case for my password management routine, I am afraid I may loose those TOTP codes and be totally locked out of my account
What? That's not what security means. Sure, you traded convenience for security.
Why is this upvoted at all?
What is the biggest risk factor with Google account for me? Is it an attacker guessing my password, impersonating me, stealing my photos? No. It's me breaking my phone, and no longer being able to pass 2FA[0][1]. The second biggest risk? Me typing a wrong comment or YouTube, or doing any other minor transgression against ToS of some Google service, and losing access to everything in one go, with no recourse[2].
Note that literally nothing in meatspace ever requires as careful management over years to decades, as 2FA does. There is always a recovery procedure. You may need to stop by the court or a notary, but no matter the fuckup, you can always recover access - to everything except modern Internet services.
--
[0] - Yes, I have the security codes I generated 15+ years ago; I have them on paper, somewhere. Like most people, I suck at keeping small paper documents accessible and available over years.
[1] - Also yes, I did break my phone, and I survived this without data loss only because I had a complex setup around Pebble and Tasker, that allowed me to operate the phone with non-functioning screen remotely to the point I could mirror the display to the computer and continue from then. Most people in most situations can't do that.
[2] - Other than complaining on HN and hoping some Googler will advocate internally for me - which, as far as I know, they're explicitly not allowed to do, and it's a career-risking move.
Availability is important part of any system, if you lock out people, system will be secure but it stops serving its purpose.
Where OP fails is he seems not to understand password leaks and how much password+e-mail+phone number+other info lists are out there.
There is credential stuffing and password spraying running around from leaked passwords, so you can try dozen users on FB and just hit jackpot with one or couple, you don't have to brute force each one of them as there are countermeasures for that.
Even if you have weak password with a trick it is trivial to find out your trick when your password leaked from 5-10 services where you used the same e-mail.
Your Google/Microsoft/FB/etc accounts are used to sign in or access information about other extremely important things in your life, like your bank, payroll, travel companies, health records, taxes, insurance, everything really. If you get locked out of those SSO "identity providers", you get transitively locked out of everything else. Which means you could end up without access to money, unable to pay rent, unable to travel, contact friends for help, etc.
In other words, your physical security would be threatened, as in you might literally become homeless and die of exposure.