I very skeptical of multi-factor authentication (MFA). Here’s the nightmare scenario:
And a very compelling tale, to boot.
The frustration of the few that the many are still using passwords that are tributes to their cats in 2022…THIS may be an explanation why a great majority of folks won’t be bothered.
My late father used “KilroyWasHere” as his single go-to password, because he insisted he had nothing digital worth stealing.
I didn’t take after him; my 1Password vault generally has about 1,300 entries in it, and most of them are unique passwords for different sites. Some of them also include 2FA secrets. I couldn’t tell you what any of those passwords are because every one of them is random, and most of them are long. (I just set up an account on a .gov site with a 100-character random password. Take that, NSA!)
The question that this raised for me: Does it turn out that my father’s method is more practically secure, even if guessing one password would have allowed access to all his stuff?
Absolutely not. The worst Security Sin is sharing passwords and other optional credentials between different sites.
“One rotten apple can spoil the bushel.” translates to IT talk as “A miscreant has only to corrupt one site to have your credentials for all your sites.”
Well, of course. My father passed into the next life as one of the worst sinners, for sure. But he always had access to his stuff, and (to clarify) his passwords all related to stuff on his local machine. He was not a believer in the ubiquity of online presence.
The article raises (or should raise) the more important question of where to draw the line between a craven depraved insecure existence that is as accessible as the nearest back-alley dive bar, and a pure ideal life of hermetically sealed security that can end up cast out of the garden in 30 microseconds.