Recovering from MFA Lockout

I very skeptical of multi-factor authentication (MFA). Here’s the nightmare scenario:


And a very compelling tale, to boot.

The frustration of the few that the many are still using passwords that are tributes to their cats in 2022…THIS may be an explanation why a great majority of folks won’t be bothered.

My late father used “KilroyWasHere” as his single go-to password, because he insisted he had nothing digital worth stealing.

I didn’t take after him; my 1Password vault generally has about 1,300 entries in it, and most of them are unique passwords for different sites. Some of them also include 2FA secrets. I couldn’t tell you what any of those passwords are because every one of them is random, and most of them are long. (I just set up an account on a .gov site with a 100-character random password. Take that, NSA!)

The question that this raised for me: Does it turn out that my father’s method is more practically secure, even if guessing one password would have allowed access to all his stuff?

1 Like

Absolutely not. The worst Security Sin is sharing passwords and other optional credentials between different sites.

“One rotten apple can spoil the bushel.” translates to IT talk as “A miscreant has only to corrupt one site to have your credentials for all your sites.”

Well, of course. My father passed into the next life as one of the worst sinners, for sure. But he always had access to his stuff, and (to clarify) his passwords all related to stuff on his local machine. He was not a believer in the ubiquity of online presence.

The article raises (or should raise) the more important question of where to draw the line between a craven depraved insecure existence that is as accessible as the nearest back-alley dive bar, and a pure ideal life of hermetically sealed security that can end up cast out of the garden in 30 microseconds.


Here’s the nightmare scenario, being locked out of your accounts and therefore having no way to receive and respond to account password resets:


And for even more of a shiver: I have to use Google Drive for a project at work. Every time I plug a device like a USB stick into one of my Macs, Google Drive pops up and offers to suck all the photos out of it and “store them safely in Google Drive.” It ignores the checkboxes I keep checking to get it to stop doing this, and until yesterday I was not motivated to dive deep into the innards of Google to figure out a permanent solution. [EDIT: there is a “Prompt me to back up devices” preference, but the actual Preferences have an information card you have to get through first.

It appears from the article that Google scans all photos loaded to their cloud. The closest I’ve come to sharing photos with a medical professional during the pandemic has been when one of my dogs had an infected anal gland and they asked me to send them a picture of their butt.

I don’t use Gmail, but if I did, or if the photo had been “backed up” (or as I’m now starting to think of it, “vacuumed”) to Drive, someone could conceivably have thought of it as porn related to bestiality. No, and yuck.

The most disturbing part of the article is the no-surprise lack of responsiveness shown by Google after they made this error.