> I never spell it out, let alone write it down, but it is in my muscle memory as I haven't changed it for years. There is no way someone on the internet can break into my ssh account or gmail account protected by such a password.
Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
Your super secret favourite phrase is worth crap once leaked alongside your email address.
Further don’t choose Microsoft for your Auth app, Go with an open source option, maybe one that encrypts and syncs so you have multiple devices just in case.
> Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
This is only ever a problem if your password is reused. Don't reuse passwords and if some website is hacked and they were storing your password in plaintext you just have to reset your password (the same way everyone else does, 2FA or not)
- if you use 1password (an example), then you're generating a bunch of random and unique passwords for every site
- questions to verify you as a 2fa tends to be less secure since you tend to make simple answers for those. And they're not convenient to enter into 2fa apps.
- 2fa apps are typically great ways to guarantee one bit of randomness into the process
I use the same app for most 2fa and the passwords themselves (Bitwarden). It makes the 2FA slightly weaker being in the same app, but infinitely more useful. It does bug me that they (Bitwarden) as a service want me to use 2FA for first logins, which makes it harder to access. My master passphrase is long, unique and only on their app/site.
While true... this is less of an issue if the breached database includes strongly encrypted passwords with individual salts. At least half of them are going to be part of existing breaches, but you aren't going to bother with the rest as it can/will take an exponential amount of time if they are treated properly, leaving top's password safe(ish).
Passwords can leak in many ways other than database breaches. Malicious front-end code and accidental logging that goes to a public place like an S3 bucket are two examples.
It's also less of an issue if the passwords never get leaked at all. The question is how much of a bet you're willing to make on the security practices of all of the sites where you have an account following this practice, and at least to me it doesn't seem like a smart.
I could not agree more with this comment. OP entirely misses the point of 2FA. I sleep so much better at night knowing that I have different passwords for every account, and 2FA where possible. One should not write about 2FA when one uses the same "uncrackable" password everywhere...
Not sure I understand — passwords are generally hashed in databases. Even if leaked, an attacker would still need to brute-force the hash to retrieve the actual password, wouldn’t they?
You’d think so. But over and over plain text leaks of passwords is the practical reality of the modern internet. A disgruntled staff member, poor tech practices or someone working out a way to get in and get access.
The https://haveibeenpwned.com/ project regularly shares new breached datasets. Reusing passwords across websites without MFA is just not not not recommended in 2025.
"Generally", sure. How do you guarantee every service you've ever signed up for uses proper salting and hashing though? All it takes is one for your entire security model to go down the drain.
1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
2) Nobody is going to bruteforce your password. We don't use md5 anymore. You password will get stolen. By phishing, malware, social engineering, password reuse etc.
> Just because you have no use for it, doesn't mean nobody has.
Lot of websites you'll visit once per decade (maybe) still ask for account. Or things like the software you get to manage your gaming peripherals which nowadays all ask for an account for no reason.
Those accounts getting hacked? I don't care. So they all get a shitty birthday password if they accept it. If they prefer to use some stupid "X uppercase, Y lowercase, Z numbers, some special characters" I'll make a new account next time because I'm not using a real email. Or just stop there.
Same thing for example for public tv broadcast streams. Often they want you to create an account with an email to watch streams, for totally zéro use for you but they hope to be able to target you with ad and co.
Same thing, I create a random account with random creds each time I want to use it. And there will be zero impact for me if it leaks...
That is your perspective. Not that of the site owner, or the internet at large, victim to any abuse somebody unkind can unleash.
Security is a bit like traffic. If you're alone in the world, you do you. But you are not alone, you have a responsibility to others, be it passers by, fellow travellers or those loved ones depending on you making it back alive.
> 1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
Why should that be my problem? It reeks of the same bait-and-switch that banks are doing, with calling failures of their lax KYC/security process "identity theft", calling themselves the victim, and making the actual victim responsible for it.
I love this, yes the crime of getting a loan with stolen or fake credentials used to be called "bank fraud" and it was the bank's problem.
Now it's called "identity theft" and they've convinced many of us it's our problem. So much that people pay the banks to buy "identity theft protection"!
> Weak passwords are not ok even on throw-away accounts.
They can be okay for throw-away accounts, it just depends on the circumstance.
> Nobody is going to bruteforce your password.
I can assure that there are still people brute forcing passwords. I see it happening all the time, especially for SSH accounts. While you are correct that phishing and password reuse are problems, they are also not totally solved by using 2FA.
Credentials stuffing. Attackers can spam a site with logins with common passwords. Too few sites implement good mitigations against this because it's easy to block/lock legitimate users that typoed a password.
No one can crack your super-strong multilingual password. But if a service accidentally leaks it, then it doesn't matter.
Credential Stuffing is how 23andMe were hacked. People reused password, they were leaked from another service, attackers tried them on a variety of sites until they hit the jackpot.
Unique passwords prevent that attack. Can't remember a thousand different passwords? Use a manager.
Don't want to use a manager? Switch on 2FA. Weak passwords and password reuse ceases to be a problem.
Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
Gmail “magic link” login (which is the reset password flow, but without needing the password) is the same security profile as Google OAuth, while exposing less user data (name and profile are nonoptional) — and also equivalent to an Android-managed passkey.
> Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
In addition to making the login process more complicated 2FA can also introduce privacy concerns. A third party authenticator app can collect all kinds of data for it's own reasons (For example MS's app will request location and camera permissions) and that 3rd party could also track which services you log into, when you access them, and how often you access them.
2FA can also cause you to be locked out of our accounts, either temporarily or forever.
Having a TOTP app request camera permission isn't nefarious. In fact, I'd 100% expect it. Most of the time people import a TOTP secret from a QR code.
Microsoft Authenticator can be configured by an admin to provide geo-blocking for attempts, so once again not just some arbitrary demand. It's a selling point of the product.
>Now, my Github access depends on the second factor, which I have chosen to be Microsoft Authenticator running on my phone. I genuinely do not know what will happen if my phone breaks down, so I downloaded TOTP codes from Github and even tried one to see if it works, and so far it does, but now I have one less TOTP code to use in case something happens. Moreover, since Github is now a special case for my password management routine, I am afraid I may loose those TOTP codes and be totally locked out of my account.
You don't need a phone for this. You can put the secret key into your password manager and it can generate the TOTP code whenever you need it. KeepassXC and 1Password support it.
It stretches the definition of "two-factor" but I don't care; like the author I'm more concerned about phone theft and losing access to everything.
I always considered the time aspect to be the more important "factor" of TOTP in practice. E.g., if somebody managed to peek over your shoulder or film you while typing in your password. With TOTP, they have under a minute to capitalize on that information. I still have that base covered with my password manager handling the secret key, so I never saw the appeal of tying TOTP to a phone.
This is compounded by the fact most 2FA implementations are security theater not phishing-resistant, the sole exception being FIDO2/Webauthn (e.g. Yubikeys), and Passkeys, but passkeys are really single-factor authentication. Both FIDO and passkeys have serious usability challenges, though.
What's worse, the most common scheme, SMS-based authentication can lead to denial of service, e.g. you are roaming and do not have access to texts, or have your account SIM-jacked as this seems to be very popular way to steal people's cryptocurrencies.
Funny how that always happens. Passkeys were supposed to be great and what you ended up with is platform players abusing their position to push lock in to their own passkey solutions over fair access to arbitrary 3rd party providers.
When they do work smoothly they aren’t useless though.
I mean they're not totally useless, in the current implementation they just can't replace passwords. I have a bunch of passkeys in my Bitwarden and they function as a "log in bypassing the 2FA screen" button. I get to skip the "we sent a code to your phone/email/butthole" flow.
The article agrees passkeys can't be phished. They acknowledge they just push users to go through an unnecessary account recovery and then phish those other credentials.
I truly despise this. It effectively disenfranchises people for living outside of areas with good mobile coverage. Banks or utility payments or parking meters(!) or whatever should not be gated behind cellphone reception. Nevermind people who can't use a phone at all ...
I don’t have an international phone plan. When I travel overseas I cannot access my bank account and my primary credit card randomly asks for a phone number verification that I cannot update.
I tried buying an sms number from twilio so that I could receive 2fa while out of the country but my bank (PNC) would not accept any phone number unless it was from one of the 4 major carriers in the US!
My credit card (capital one) seems to have a phone number on file from Mastercard. If I change my phone number in capital one, whenever I get into the Mastercard extra verification, it does not use the updated number. I have no idea how to get Mastercard to update it. I just ended up using a different credit card!
I thought he was going to mention the stupidity of sites like Twitter that when you add SMS as a 2FA option you can now use that to bypass the password and so are vulnerable to sim hijacking, which given how incompetent phone company employees are makes your security weaker.
Always use an authenticator app or physical key, most sites that do SMS 2FA will then allow hackers to use it to bypass knowing your password.
I agree with the article. Maybe businesses are trying to protect themselves, but as a user, mandatory 2FA reduces the level of security I can achieve for myself.
Because security is not just confidentiality, it's also availability: the "Security CIA Triad" is Confidentiality, Integrity, and Availability.
If I can lose access (availability) to my online account by losing some physical item (e.g. lost cell phone), or if some third party can prevent me from accessing my 2FA (e.g. banned from my email provider by DMCA takedown request), then I have my availability, and hence overall security is at risk.
Additionally, requiring a phone number for online services means that the confidentiality of my identity is reduced. It becomes impossible to be anonymous. For instance, you can't use Signal messenger without a phone number, so there's a chance your identity can be leaked.
> Because security is not only about being protected from intrusion, but also about being able to securely access data at any time and in any circumstances.
This felt like the author bending over backwards to justify their choice. They find 2FA less convenient and conflate it with being less secure. It’s not the same thing.
It’s OK to say “not all my accounts are equally important and I need to access some of them in situations where 2FA and complex passwords aren’t worth it”. It’s not OK to sell the idea that 2FA does not generally offer security.
This reminded me of the “SEO expert” a few years back which was trying to convince everyone, with wrong information, to not use HTTPS (which, I realise only after writing this, the author’s website also doesn’t use).
Security is about risk management. If the value of what you’re protecting is low, or the consequences of not accessing something is high, than the MFA control may not add value.
The problem is in general people are really bad at assessing risk. You tend to see extremes.
> I don't think this definition is very helpful though.
Because it’s a straw man, and straw men aren’t helpful for discussion. No one is suggesting making data wholly inaccessible.
Data that you cannot access “at any time and in any circumstances” (author’s words) can still be secure. A fairer analogy would have been storing disks in a locked safe in your home. It’s not as convenient to access it, but it is secure. Should you do that for all your data? No, but neither have I advocated for that. I very clearly stated that I think it’s OK to have different levels of protection for different types of data.
Readit News
Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
Your super secret favourite phrase is worth crap once leaked alongside your email address.
Further don’t choose Microsoft for your Auth app, Go with an open source option, maybe one that encrypts and syncs so you have multiple devices just in case.
This is only ever a problem if your password is reused. Don't reuse passwords and if some website is hacked and they were storing your password in plaintext you just have to reset your password (the same way everyone else does, 2FA or not)
That is the context of the reply, although I think they misread the article.
Anyone else here had friends have their say Instagram account hacked, none ever have MFA on and it causes great distress.
MFA IS a good idea for multiple reasons.
- if you use 1password (an example), then you're generating a bunch of random and unique passwords for every site - questions to verify you as a 2fa tends to be less secure since you tend to make simple answers for those. And they're not convenient to enter into 2fa apps. - 2fa apps are typically great ways to guarantee one bit of randomness into the process
That’s pretty much like handing you car keys to a random person on the street and be confident they will take it to the bank and put it in a locker.
Deleted Comment
The https://haveibeenpwned.com/ project regularly shares new breached datasets. Reusing passwords across websites without MFA is just not not not recommended in 2025.
1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
2) Nobody is going to bruteforce your password. We don't use md5 anymore. You password will get stolen. By phishing, malware, social engineering, password reuse etc.
Lot of websites you'll visit once per decade (maybe) still ask for account. Or things like the software you get to manage your gaming peripherals which nowadays all ask for an account for no reason.
Those accounts getting hacked? I don't care. So they all get a shitty birthday password if they accept it. If they prefer to use some stupid "X uppercase, Y lowercase, Z numbers, some special characters" I'll make a new account next time because I'm not using a real email. Or just stop there.
Same thing, I create a random account with random creds each time I want to use it. And there will be zero impact for me if it leaks...
Security is a bit like traffic. If you're alone in the world, you do you. But you are not alone, you have a responsibility to others, be it passers by, fellow travellers or those loved ones depending on you making it back alive.
Why should that be my problem? It reeks of the same bait-and-switch that banks are doing, with calling failures of their lax KYC/security process "identity theft", calling themselves the victim, and making the actual victim responsible for it.
Now it's called "identity theft" and they've convinced many of us it's our problem. So much that people pay the banks to buy "identity theft protection"!
For instance this requires an account
https://news.ycombinator.com/item?id=43245361
They can be okay for throw-away accounts, it just depends on the circumstance.
> Nobody is going to bruteforce your password.
I can assure that there are still people brute forcing passwords. I see it happening all the time, especially for SSH accounts. While you are correct that phishing and password reuse are problems, they are also not totally solved by using 2FA.
Deleted Comment
This accidental confusion between TOTP and OTP is by itself an argument against complex alternatives to login+password.
No one can crack your super-strong multilingual password. But if a service accidentally leaks it, then it doesn't matter.
Credential Stuffing is how 23andMe were hacked. People reused password, they were leaked from another service, attackers tried them on a variety of sites until they hit the jackpot.
Unique passwords prevent that attack. Can't remember a thousand different passwords? Use a manager.
Don't want to use a manager? Switch on 2FA. Weak passwords and password reuse ceases to be a problem.
Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
- Lots of flaky 2FA implementations out there where it's easy to get in without it, if you have the password
- If a service doesn't offer 2FA you are now unable to use it for fear of sharing your password (like this website)
I suppose logically if your email is 2FA, then someone can't do 'forgot password', but man that feels super flaky.
(Logging into Reddit with a Google account bypasses any and all forms of 2FA auth.)
In addition to making the login process more complicated 2FA can also introduce privacy concerns. A third party authenticator app can collect all kinds of data for it's own reasons (For example MS's app will request location and camera permissions) and that 3rd party could also track which services you log into, when you access them, and how often you access them.
2FA can also cause you to be locked out of our accounts, either temporarily or forever.
Microsoft Authenticator can be configured by an admin to provide geo-blocking for attempts, so once again not just some arbitrary demand. It's a selling point of the product.
You don't need a phone for this. You can put the secret key into your password manager and it can generate the TOTP code whenever you need it. KeepassXC and 1Password support it.
It stretches the definition of "two-factor" but I don't care; like the author I'm more concerned about phone theft and losing access to everything.
I always considered the time aspect to be the more important "factor" of TOTP in practice. E.g., if somebody managed to peek over your shoulder or film you while typing in your password. With TOTP, they have under a minute to capitalize on that information. I still have that base covered with my password manager handling the secret key, so I never saw the appeal of tying TOTP to a phone.
What's worse, the most common scheme, SMS-based authentication can lead to denial of service, e.g. you are roaming and do not have access to texts, or have your account SIM-jacked as this seems to be very popular way to steal people's cryptocurrencies.
Unfortunately, the industry has mangled the implementation, making them basically useless.
When they do work smoothly they aren’t useless though.
I truly despise this. It effectively disenfranchises people for living outside of areas with good mobile coverage. Banks or utility payments or parking meters(!) or whatever should not be gated behind cellphone reception. Nevermind people who can't use a phone at all ...
I tried buying an sms number from twilio so that I could receive 2fa while out of the country but my bank (PNC) would not accept any phone number unless it was from one of the 4 major carriers in the US!
My credit card (capital one) seems to have a phone number on file from Mastercard. If I change my phone number in capital one, whenever I get into the Mastercard extra verification, it does not use the updated number. I have no idea how to get Mastercard to update it. I just ended up using a different credit card!
Always use an authenticator app or physical key, most sites that do SMS 2FA will then allow hackers to use it to bypass knowing your password.
Because security is not just confidentiality, it's also availability: the "Security CIA Triad" is Confidentiality, Integrity, and Availability.
If I can lose access (availability) to my online account by losing some physical item (e.g. lost cell phone), or if some third party can prevent me from accessing my 2FA (e.g. banned from my email provider by DMCA takedown request), then I have my availability, and hence overall security is at risk.
Additionally, requiring a phone number for online services means that the confidentiality of my identity is reduced. It becomes impossible to be anonymous. For instance, you can't use Signal messenger without a phone number, so there's a chance your identity can be leaked.
This felt like the author bending over backwards to justify their choice. They find 2FA less convenient and conflate it with being less secure. It’s not the same thing.
It’s OK to say “not all my accounts are equally important and I need to access some of them in situations where 2FA and complex passwords aren’t worth it”. It’s not OK to sell the idea that 2FA does not generally offer security.
This reminded me of the “SEO expert” a few years back which was trying to convince everyone, with wrong information, to not use HTTPS (which, I realise only after writing this, the author’s website also doesn’t use).
The problem is in general people are really bad at assessing risk. You tend to see extremes.
I don't think this definition is very helpful though. So I prefer the one where the entities that need to have access still can access.
Because it’s a straw man, and straw men aren’t helpful for discussion. No one is suggesting making data wholly inaccessible.
Data that you cannot access “at any time and in any circumstances” (author’s words) can still be secure. A fairer analogy would have been storing disks in a locked safe in your home. It’s not as convenient to access it, but it is secure. Should you do that for all your data? No, but neither have I advocated for that. I very clearly stated that I think it’s OK to have different levels of protection for different types of data.
https://news.ycombinator.com/item?id=43421721