Yes.
2FA (Two-Factor Authentication) adds a strong safety net, but it doesn’t replace the need for good passwords. As the first factor, passwords work together with 2FA to protect you from different kinds of attacks.
Password strength and two-factor authentication
Strong passwords still matter, even with 2FA. Two-factor helps block many attacks, but it can’t stop everything. A weak or reused password can still be guessed, stolen, or misused in ways 2FA won’t catch. Using both a strong password and 2FA gives you the most reliable protection.
Why people ask
I get it, I really do. Account security is not only overly complex, but a moving target. What was good enough a few years ago is considered “asking to be compromised” today. People are tired of juggling long, complicated passwords and hearing that they should be longer and more complicated than ever.
There’s also a fallacy that two-factor means hackers just can’t get in, so why bother with the other parts?
And, of course, the whole move to a promised “passwordless” future sheds doubt on the importance of passwords as we move forward.
Help keep it going by becoming a Patron.
Related
Two-Factor Authentication: It’s Not as Complicated as You Think
There are some persistent myths about two-factor authentication that stop people from adopting it. I'll clear them up so you can use this simple yet powerful security feature with confidence.#181875
“Even if they know your password”
I’ve often said that two-factor authentication of any sort is powerful security because it protects your accounts from attack even if “they” know your password. Without your second factor, they still can’t get in.
That’s true whether your password is “password”, “FLd*Wd2bJM%LvG7xjE$TiWB”, or something in between.
So, in that sense, you’re correct: 2FA protects you regardless of the strength of your password. Two-factor authentication stops someone who knows your password from signing in.
How did they get your password?
- Phishing
- Stolen databases (breaches)
- Password reuse
- Keyloggers
With two-factor in place, when signing in on a computer you haven’t signed into before, the attacker has to provide the second factor. Presumably, they cannot, and thus you’re protected.
What 2FA Does Not Protect You From
Two-factor is important, but it’s not perfect. Someone who knows (or can guess) your password can still cause mischief in a number of ways.
- If someone sits down at your computer while you’re getting coffee, 2FA does nothing. Even if logged out, the system will likely not require the second factor because you used it once already.
- A man in the middle phishing attempt can convince you to enter a two-factor code. They don’t ask you for your password, so it feels safer. Meanwhile, they’re signing into your account using the password they got elsewhere and the two-factor code you’re handing them in real time.
- Hackers can try your password across other services you use that don’t support 2FA and sign in anywhere you’ve reused the password.
- They can use a SIM swapping attack to sweet-talk your mobile provider into reassigning your phone number, thus hijacking your second factor and log in as you.
- Or they might be able to gain physical access to your second factor and log in as you.
Choosing a weaker password weakens your security against all these attacks.
Related
Is Passwordless Authentication Safe?
Passwordless authentication removes the need for a password and replaces it with something else. But can that be secure?#137786
Passwordless?
Password authentication is not perfect by any means, and there are moves to reduce or even eliminate passwords in various ways, including passkeys and passwordless accounts.
Passkeys are great where they are supported. Even so, you need to be able to sign in some other way (which may or may not involve a password) in order to set them up.
True passwordless accounts use other sign-in mechanisms like email confirmation, text message authentication, or something else.
Both cases are still single factors. 2FA can still be layered on top for additional security.
And, of course, it’ll be a while before we get there. Passwords will be around for a long time.
Password strength still matters, even with 2FA
The whole point of two-factor authentication is to have two strong authentication mechanisms that work in tandem to secure your account. Weakening either weakens your overall security. By reducing your password complexity, you’re choosing to allow your second factor to be, in effect, the single factor.
Consider this sequence:
- Weak passwords are easier to guess.
- Attackers can then try signing in, triggering 2FA prompts.
- If you’re getting a flood of 2FA prompts, there’s a higher chance you’ll approve one by accident or in a panic.
This is also the psychology behind so-called MFA fatigue. You tire of these annoying 2FA prompts, so you just say yes to make them stop.
Done properly, strong passwords plus two-factor authentication is like having both a doorknob lock and a deadbolt on your front door. Either keeps a certain level of intruder out, but using both makes it that much harder for anyone to get in.
Do this
For good account security, you want a unique, strong password for every account, and 2FA enabled everywhere it’s an option.
You don’t need to remember complicated, long passwords; your password manager does that for you. Your job is to set things up once and let the tools work for you.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
