A few weeks ago I received an unsolicited email from the Belgian Center for Cyber Security. It starts with the statement that 80% of cyber attacks could be avoided if 2FA was active and then says literally that If you only use a username and password for your remote logins, you're a sitting duck.
This is not true, username and password are no less secure than 2FA. In a way, they are more secure. I know this is controversial, but please bear with me, and I will explain CCB assumptions, my assumptions, and how it all makes sense.
CCB assumes that people can not be trusted with passwords. Over the years, the most popular passwords have been 123456 and password, closely followed by 12345678 and qwerty. Research has proven time and again that we use weak passwords whenever possible.
But hold on. These same people behave reasonably and optimally. Whenever they start using a new website or app, its value is close to zero, so it it an optimal strategy to use a weak password. More often than not, the interaction is unique or spaced in time so much that it makes no sense to save the password at all. When I visit a website I have not visited for years, my old password usually does not work anymore, and I have to reset it.
I have a workflow for auto-generating passwords and storing them in a password manager, but it is totally reasonable to expect other strategies for occasional users:
- Type in a weak password or a weak password with a trick, e.g including the name of the service in it so that the password is easy to remember.
- Monkey-type random text from keyboard until the password is accepted and immediately forget it, knowing that you will be able to recover access via email.
Weak passwords become problematic when users start relying on a service where they initially configured a weak password. Big Tech has already foud subtle but effective strategies for such cases, but smaller country-specific businesses did not.
One of the passwords that I know by heart is a famous classic quote clumsily translated in a mix of French and Dutch. It is long, it can not be brute-forced because of its length and I am pretty sure it is not present in any of the rainbow tables. I never spell it out, let alone write it down, but it is in my muscle memory as I haven't changed it for years.
There is no way someone on the internet can break into my ssh account or gmail account protected by such a password. This password is unbreakable for all practical purposes, see XKCD 538 Security and XKCD 936 Password Strength.
Lately some services started requiring 2FA. One of them is Github. Once I added 2FA to my Github account, it became less secure for me. Because security is not only about being protected from intrusion, but also about being able to securely access data at any time and in any circumstances.
Now, my Github access depends on the second factor, which I have chosen to be Microsoft Authenticator running on my phone. I genuinely do not know what will happen if my phone breaks down, so I downloaded TOTP codes from Github and even tried one to see if it works, and so far it does, but now I have one less TOTP code to use in case something happens. Moreover, since Github is now a special case for my password management routine, I am afraid I may loose those TOTP codes and be totally locked out of my account.
And, the worst of all, I have to think all that through, which is a waste of time, to start with.