Terence Eden’s Blog on Nostr: **Password Resets in an Age of MFA** ...
**Password Resets in an Age of MFA**
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity.
WordPress mandated that I change my password. But was that really necessary?
Firstly, the password was uniquely generated by my password manager<a href="#fn-51014-password" class="jetpack-footnote" title="Read footnote.">1</a>. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account<a href="#fn-51014-OF" class="jetpack-footnote" title="Read footnote.">2</a>.
Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username *and* password, they can't get in without the MFA code<a href="#fn-51014-2FA" class="jetpack-footnote" title="Read footnote.">3</a>.
So, should I change my password?
To understand this, it's worth considering the risks - both of action and inaction.
Changing a password isn't without risk.<li>Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?</li><li>Do I trust my password manager to give me a strong password?</li><li>What if the original email is a phishing attempt and I end up giving the baddies my credentials?</li><li>Can I be bothered spending the time maintaining this old account?</li>
As for the risk of inaction.<li>Using my details, a miscreant <em>might</em> convince WordPress to disable MFA on my account. </li><li>If there was a breach, my MFA seed secret might also have been stolen.</li>
On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much *urgency* in doing so.<li>A strong and unique password means there is no risk of collateral damage to other accounts.</li><li>The use of MFA adds an extra layer of protection which buys you time.</li>
Thankfully, we've moved on from the outdated advice to [regularly change your password](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry ). Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…
The future ain't what it used to be!<li id="fn-51014-password">It was <code>w@&7%GUznK#9^}<S5</code> if you must know. <a href="#fnref-51014-password" title="Return to main content.">↩</a></li><li id="fn-51014-OF">Lots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge? <a href="#fnref-51014-OF" title="Return to main content.">↩</a></li><li id="fn-51014-2FA">It is currently <code>194 685</code>. <a href="#fnref-51014-2FA" title="Return to main content.">↩</a></li>
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
#2fa #CyberSecurity #MFA #passwords #totp
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity.
WordPress mandated that I change my password. But was that really necessary?
Firstly, the password was uniquely generated by my password manager<a href="#fn-51014-password" class="jetpack-footnote" title="Read footnote.">1</a>. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account<a href="#fn-51014-OF" class="jetpack-footnote" title="Read footnote.">2</a>.
Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username *and* password, they can't get in without the MFA code<a href="#fn-51014-2FA" class="jetpack-footnote" title="Read footnote.">3</a>.
So, should I change my password?
To understand this, it's worth considering the risks - both of action and inaction.
Changing a password isn't without risk.<li>Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?</li><li>Do I trust my password manager to give me a strong password?</li><li>What if the original email is a phishing attempt and I end up giving the baddies my credentials?</li><li>Can I be bothered spending the time maintaining this old account?</li>
As for the risk of inaction.<li>Using my details, a miscreant <em>might</em> convince WordPress to disable MFA on my account. </li><li>If there was a breach, my MFA seed secret might also have been stolen.</li>
On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much *urgency* in doing so.<li>A strong and unique password means there is no risk of collateral damage to other accounts.</li><li>The use of MFA adds an extra layer of protection which buys you time.</li>
Thankfully, we've moved on from the outdated advice to [regularly change your password](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry ). Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…
The future ain't what it used to be!<li id="fn-51014-password">It was <code>w@&7%GUznK#9^}<S5</code> if you must know. <a href="#fnref-51014-password" title="Return to main content.">↩</a></li><li id="fn-51014-OF">Lots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge? <a href="#fnref-51014-OF" title="Return to main content.">↩</a></li><li id="fn-51014-2FA">It is currently <code>194 685</code>. <a href="#fnref-51014-2FA" title="Return to main content.">↩</a></li>
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
#2fa #CyberSecurity #MFA #passwords #totp