Password Security and Multi-Factor Authentication
Passwords are still everywhere, but attackers increasingly steal more than passwords. They steal session cookies, recovery codes, OAuth grants, API keys, SSH keys, personal access tokens, and cloud credentials. Strong authentication now means protecting every secret that can prove identity or grant access. This page teaches the habits that stop one compromised account from becoming a larger breach.Why Most Passwords Fail
The Predictability Problem
When asked to create a “strong” password, many people follow the same patterns:- Start with a common word:
Password,Summer,Welcome - Capitalize the first letter:
Password - Add numbers at the end:
Password123 - Add a special character to satisfy requirements:
Password123!
Summer2026! looks complex, but it is predictable.
Password Entropy
Entropy measures unpredictability. Higher entropy means a password is harder to guess.| Password type | Example | Better or worse? | Why |
|---|---|---|---|
| Short common password | Password123! | Worse | Common pattern, easy to guess |
| Reused password | Same password on many sites | Worse | One breach affects many accounts |
| Random password | aK8$mQ2x!bL4nR7@wZ9 | Better | Long, random, hard to guess |
| Random passphrase | clash-atlas-grief-hound-cedar | Better | Long and memorable if generated randomly |
| Password manager generated secret | Unique 20+ character value | Best for most accounts | Unique per site and not memorized |
Length and uniqueness matter more than memorizing complex-looking patterns. Use a password manager for most passwords and a strong passphrase for the password manager itself.
Passphrases
A passphrase is a sequence of random, unrelated words used as a password. It is useful when you need to remember one important secret, such as your password manager master password or device login. Good passphrases:- Use random words, not a quote or sentence.
- Avoid personal information such as names, pets, birthdays, or favorite teams.
- Are long enough to resist guessing.
- Are unique and never reused.
| Example | Assessment |
|---|---|
clash-atlas-grief-hound-cedar | Strong if randomly generated |
i-love-my-dog-max | Weak because it uses personal information |
to-be-or-not-to-be | Weak because it is a famous quote |
Password Managers
A password manager is an encrypted vault that generates, stores, and autofills credentials. It solves the main human problem: you should not need to remember hundreds of unique passwords.What a Password Manager Should Do
- Generate unique random passwords for every account.
- Store passwords in an encrypted vault.
- Autofill only on the correct domain.
- Warn you about reused, weak, or breached passwords.
- Support MFA for the vault itself.
- Let you export an emergency recovery plan if appropriate.
Recommended Password Managers
| Manager | Type | Best for |
|---|---|---|
| Bitwarden | Open source, cloud-synced | General use and transparency-conscious users |
| 1Password | Commercial, cloud-synced | Families and teams with strong usability needs |
| KeePassXC | Open source, local-only | Offline environments and users who want maximum control |
| Apple Passwords / Keychain | Built into Apple platforms | Users fully in the Apple ecosystem |
Multi-Factor Authentication
Multi-factor authentication (MFA) requires proof from at least two different categories:- Something you know: Password, PIN, recovery phrase
- Something you have: Phone, authenticator app, hardware key, smart card
- Something you are: Fingerprint, face scan, iris scan
The MFA Spectrum
SMS Codes
Better than no MFA, but vulnerable to SIM swapping, phone number takeover, and message interception.
Authenticator Apps
Time-based codes generated locally by apps such as Aegis, Google Authenticator, Microsoft Authenticator, or 2FAS. Stronger than SMS.
Push Notifications
Convenient, but vulnerable to MFA fatigue if users approve prompts without checking the login details.
Hardware Security Keys
Physical devices such as YubiKey or Google Titan that use FIDO2/WebAuthn. Strong because they verify the real domain.
What to Enable First
Prioritize accounts by blast radius:| Priority | Account | Why it matters |
|---|---|---|
| 1 | Password resets for other services usually go here | |
| 2 | Password manager | It stores your other credentials |
| 3 | Banking and payments | Direct financial impact |
| 4 | Cloud storage | May contain identity documents, backups, or work files |
| 5 | Source code and developer platforms | May contain secrets, repositories, package publishing access, and CI/CD permissions |
| 6 | School or work platforms | Can expose private messages, assignments, HR data, or internal systems |
| 7 | Social media | Used for impersonation and phishing contacts |
Tokens, API Keys, and OAuth Apps
For developers and power users, the most dangerous credential may not be a password. It may be a token that allows automated access.Common High-Value Secrets
- GitHub or GitLab personal access tokens
- npm, PyPI, Docker, or package registry publishing tokens
- AWS, Azure, Google Cloud, or Oracle Cloud keys
- SSH private keys
- CI/CD deployment tokens
- OAuth grants to third-party apps
- Browser session cookies
- Password manager recovery codes
Token Hygiene Rules
- Use the narrowest scope: A token that only reads one repository is safer than a token that can modify every repository.
- Prefer short-lived tokens: Long-lived tokens are valuable to attackers.
- Store secrets outside code: Use environment variables, platform secret stores, or dedicated secret managers.
- Review OAuth apps: Remove apps you no longer use, especially those with email, cloud drive, repository, or admin access.
- Rotate after exposure: If a device, extension, dependency, or CI job may be compromised, assume tokens on that system are exposed.
Recovery Codes and Account Recovery
MFA can lock out attackers, but it can also lock you out if you lose your device. Save recovery codes safely. Good options:- Store recovery codes in your password manager.
- Keep a printed copy in a locked physical location.
- Register two hardware keys, one daily key and one backup key.
- Review recovery email addresses and phone numbers quarterly.
- Screenshots of recovery codes in your camera roll.
- Reusing the same recovery email everywhere.
- Sharing backup codes over chat or email.
Key Takeaways
- Use unique passwords: One breach should not compromise every account.
- Use a password manager: It is the practical way to manage strong, unique passwords.
- Enable MFA first on high-impact accounts: Email, password manager, banking, cloud, work, school, and developer platforms.
- Prefer phishing-resistant MFA: Hardware keys and passkeys are stronger than SMS and push approvals.
- Treat tokens like passwords: Scope them narrowly, rotate them, and remove unused OAuth apps.
- Plan recovery before you need it: Backup keys and recovery codes prevent lockout during a crisis.