What is Nostr?
Terence Eden’s Blog /
npub1y66…eusx
2024-07-01 11:34:05

Terence Eden’s Blog on Nostr: **Password Resets in an Age of MFA** ...

**Password Resets in an Age of MFA**
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/

Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity.

WordPress mandated that I change my password. But was that really necessary?

Firstly, the password was uniquely generated by my password manager<a href="#fn-51014-password" class="jetpack-footnote" title="Read footnote.">1</a>. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account<a href="#fn-51014-OF" class="jetpack-footnote" title="Read footnote.">2</a>.

Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username *and* password, they can't get in without the MFA code<a href="#fn-51014-2FA" class="jetpack-footnote" title="Read footnote.">3</a>.

So, should I change my password?

To understand this, it's worth considering the risks - both of action and inaction.

Changing a password isn't without risk.<li>Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?</li><li>Do I trust my password manager to give me a strong password?</li><li>What if the original email is a phishing attempt and I end up giving the baddies my credentials?</li><li>Can I be bothered spending the time maintaining this old account?</li>

As for the risk of inaction.<li>Using my details, a miscreant <em>might</em> convince WordPress to disable MFA on my account. </li><li>If there was a breach, my MFA seed secret might also have been stolen.</li>

On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much *urgency* in doing so.<li>A strong and unique password means there is no risk of collateral damage to other accounts.</li><li>The use of MFA adds an extra layer of protection which buys you time.</li>

Thankfully, we've moved on from the outdated advice to [regularly change your password](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry ). Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…

The future ain't what it used to be!<li id="fn-51014-password">It was <code>w@&amp;7%GUznK#9^}&lt;S5</code> if you must know.&nbsp;<a href="#fnref-51014-password" title="Return to main content.">↩</a></li><li id="fn-51014-OF">Lots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge?&nbsp;<a href="#fnref-51014-OF" title="Return to main content.">↩</a></li><li id="fn-51014-2FA">It is currently <code>194 685</code>.&nbsp;<a href="#fnref-51014-2FA" title="Return to main content.">↩</a></li>


https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/

#2fa #CyberSecurity #MFA #passwords #totp
Author Public Key
npub1y66rre8r3yptrcumrxelkmpr2hd8tpg35rxsx4eqcuejpgj5dgcslreusx