Skip to main content

Password Security and Multi-Factor Authentication

Passwords are still everywhere, but attackers increasingly steal more than passwords. They steal session cookies, recovery codes, OAuth grants, API keys, SSH keys, personal access tokens, and cloud credentials. Strong authentication now means protecting every secret that can prove identity or grant access. This page teaches the habits that stop one compromised account from becoming a larger breach.

Why Most Passwords Fail

The Predictability Problem

When asked to create a “strong” password, many people follow the same patterns:
  • Start with a common word: Password, Summer, Welcome
  • Capitalize the first letter: Password
  • Add numbers at the end: Password123
  • Add a special character to satisfy requirements: Password123!
Attackers know these patterns. Password-cracking tools use dictionaries, rule-based mutations, leaked password lists, and common seasonal terms. A password like Summer2026! looks complex, but it is predictable.

Password Entropy

Entropy measures unpredictability. Higher entropy means a password is harder to guess.
Password typeExampleBetter or worse?Why
Short common passwordPassword123!WorseCommon pattern, easy to guess
Reused passwordSame password on many sitesWorseOne breach affects many accounts
Random passwordaK8$mQ2x!bL4nR7@wZ9BetterLong, random, hard to guess
Random passphraseclash-atlas-grief-hound-cedarBetterLong and memorable if generated randomly
Password manager generated secretUnique 20+ character valueBest for most accountsUnique per site and not memorized
Length and uniqueness matter more than memorizing complex-looking patterns. Use a password manager for most passwords and a strong passphrase for the password manager itself.

Passphrases

A passphrase is a sequence of random, unrelated words used as a password. It is useful when you need to remember one important secret, such as your password manager master password or device login. Good passphrases:
  • Use random words, not a quote or sentence.
  • Avoid personal information such as names, pets, birthdays, or favorite teams.
  • Are long enough to resist guessing.
  • Are unique and never reused.
Examples:
ExampleAssessment
clash-atlas-grief-hound-cedarStrong if randomly generated
i-love-my-dog-maxWeak because it uses personal information
to-be-or-not-to-beWeak because it is a famous quote

Password Managers

A password manager is an encrypted vault that generates, stores, and autofills credentials. It solves the main human problem: you should not need to remember hundreds of unique passwords.

What a Password Manager Should Do

  1. Generate unique random passwords for every account.
  2. Store passwords in an encrypted vault.
  3. Autofill only on the correct domain.
  4. Warn you about reused, weak, or breached passwords.
  5. Support MFA for the vault itself.
  6. Let you export an emergency recovery plan if appropriate.
ManagerTypeBest for
BitwardenOpen source, cloud-syncedGeneral use and transparency-conscious users
1PasswordCommercial, cloud-syncedFamilies and teams with strong usability needs
KeePassXCOpen source, local-onlyOffline environments and users who want maximum control
Apple Passwords / KeychainBuilt into Apple platformsUsers fully in the Apple ecosystem
Your master password is a critical secret. Make it long, unique, and memorable. If you lose it, many password managers cannot recover your vault.

Multi-Factor Authentication

Multi-factor authentication (MFA) requires proof from at least two different categories:
  1. Something you know: Password, PIN, recovery phrase
  2. Something you have: Phone, authenticator app, hardware key, smart card
  3. Something you are: Fingerprint, face scan, iris scan
Two passwords are not MFA because they are both “something you know.”

The MFA Spectrum

1

SMS Codes

Better than no MFA, but vulnerable to SIM swapping, phone number takeover, and message interception.
2

Email Codes

Useful for low-risk accounts, but weak if the email account is already compromised.
3

Authenticator Apps

Time-based codes generated locally by apps such as Aegis, Google Authenticator, Microsoft Authenticator, or 2FAS. Stronger than SMS.
4

Push Notifications

Convenient, but vulnerable to MFA fatigue if users approve prompts without checking the login details.
5

Hardware Security Keys

Physical devices such as YubiKey or Google Titan that use FIDO2/WebAuthn. Strong because they verify the real domain.
6

Passkeys

Passwordless sign-in based on public key cryptography. Passkeys are resistant to phishing because the private key stays on your device.

What to Enable First

Prioritize accounts by blast radius:
PriorityAccountWhy it matters
1EmailPassword resets for other services usually go here
2Password managerIt stores your other credentials
3Banking and paymentsDirect financial impact
4Cloud storageMay contain identity documents, backups, or work files
5Source code and developer platformsMay contain secrets, repositories, package publishing access, and CI/CD permissions
6School or work platformsCan expose private messages, assignments, HR data, or internal systems
7Social mediaUsed for impersonation and phishing contacts

Tokens, API Keys, and OAuth Apps

For developers and power users, the most dangerous credential may not be a password. It may be a token that allows automated access.

Common High-Value Secrets

  • GitHub or GitLab personal access tokens
  • npm, PyPI, Docker, or package registry publishing tokens
  • AWS, Azure, Google Cloud, or Oracle Cloud keys
  • SSH private keys
  • CI/CD deployment tokens
  • OAuth grants to third-party apps
  • Browser session cookies
  • Password manager recovery codes

Token Hygiene Rules

  1. Use the narrowest scope: A token that only reads one repository is safer than a token that can modify every repository.
  2. Prefer short-lived tokens: Long-lived tokens are valuable to attackers.
  3. Store secrets outside code: Use environment variables, platform secret stores, or dedicated secret managers.
  4. Review OAuth apps: Remove apps you no longer use, especially those with email, cloud drive, repository, or admin access.
  5. Rotate after exposure: If a device, extension, dependency, or CI job may be compromised, assume tokens on that system are exposed.
Recent developer tool compromises show why token hygiene matters. If malware steals a personal access token from a developer laptop, an attacker may be able to clone private repositories, publish malicious packages, or access cloud resources without knowing the user’s password.

Recovery Codes and Account Recovery

MFA can lock out attackers, but it can also lock you out if you lose your device. Save recovery codes safely. Good options:
  • Store recovery codes in your password manager.
  • Keep a printed copy in a locked physical location.
  • Register two hardware keys, one daily key and one backup key.
  • Review recovery email addresses and phone numbers quarterly.
Avoid:
  • Screenshots of recovery codes in your camera roll.
  • Reusing the same recovery email everywhere.
  • Sharing backup codes over chat or email.

Key Takeaways

  1. Use unique passwords: One breach should not compromise every account.
  2. Use a password manager: It is the practical way to manage strong, unique passwords.
  3. Enable MFA first on high-impact accounts: Email, password manager, banking, cloud, work, school, and developer platforms.
  4. Prefer phishing-resistant MFA: Hardware keys and passkeys are stronger than SMS and push approvals.
  5. Treat tokens like passwords: Scope them narrowly, rotate them, and remove unused OAuth apps.
  6. Plan recovery before you need it: Backup keys and recovery codes prevent lockout during a crisis.