**Password Resets in an Age of MFA**
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity.
WordPress mandated that I change my password. But was that really necessary?
Firstly, the password was uniquely generated by my password manager<a href="#fn-51014-password" class="jetpack-footnote" title="Read footnote.">1</a>. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account<a href="#fn-51014-OF" class="jetpack-footnote" title="Read footnote.">2</a>.
Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username *and* password, they can't get in without the MFA code<a href="#fn-51014-2FA" class="jetpack-footnote" title="Read footnote.">3</a>.
So, should I change my password?
To understand this, it's worth considering the risks - both of action and inaction.
Changing a password isn't without risk.<li>Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?</li><li>Do I trust my password manager to give me a strong password?</li><li>What if the original email is a phishing attempt and I end up giving the baddies my credentials?</li><li>Can I be bothered spending the time maintaining this old account?</li>
As for the risk of inaction.<li>Using my details, a miscreant <em>might</em> convince WordPress to disable MFA on my account. </li><li>If there was a breach, my MFA seed secret might also have been stolen.</li>
On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much *urgency* in doing so.<li>A strong and unique password means there is no risk of collateral damage to other accounts.</li><li>The use of MFA adds an extra layer of protection which buys you time.</li>
Thankfully, we've moved on from the outdated advice to [regularly change your password](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry ). Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…
The future ain't what it used to be!<li id="fn-51014-password">It was <code>w@&7%GUznK#9^}<S5</code> if you must know. <a href="#fnref-51014-password" title="Return to main content.">↩</a></li><li id="fn-51014-OF">Lots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge? <a href="#fnref-51014-OF" title="Return to main content.">↩</a></li><li id="fn-51014-2FA">It is currently <code>194 685</code>. <a href="#fnref-51014-2FA" title="Return to main content.">↩</a></li>
https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/
#2fa #CyberSecurity #MFA #passwords #totp
Terence Eden’s Blog /
npub1y6…reusx
2024-07-01 11:34:05
Author Public Key
npub1y66rre8r3yptrcumrxelkmpr2hd8tpg35rxsx4eqcuejpgj5dgcslreusxPublished at
2024-07-01 11:34:05Event JSON
{
"id": "cc6fa462d8d73088e6f196deb271a975a066f833d7ad5b99ae5fb578fd429e13",
"pubkey": "26b431e4e38902b1e39b19b3fb6c2355da758511a0cd035720c73320a2546a31",
"created_at": 1719833645,
"kind": 1,
"tags": [
[
"t",
"MFA"
],
[
"t",
"2fa"
],
[
"t",
"CyberSecurity"
],
[
"t",
"passwords"
],
[
"t",
"totp"
],
[
"proxy",
"https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/",
"web"
],
[
"proxy",
"https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/",
"pink.momostr"
],
[
"expiration",
"1722426213"
]
],
"content": "**Password Resets in an Age of MFA**\nhttps://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/\n\nRecently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a \"y\" - so of course some scumbag has pilfered my digital identity.\n\nWordPress mandated that I change my password. But was that really necessary?\n\nFirstly, the password was uniquely generated by my password manager\u003ca href=\"#fn-51014-password\" class=\"jetpack-footnote\" title=\"Read footnote.\"\u003e1\u003c/a\u003e. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account\u003ca href=\"#fn-51014-OF\" class=\"jetpack-footnote\" title=\"Read footnote.\"\u003e2\u003c/a\u003e.\n\nSecondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username *and* password, they can't get in without the MFA code\u003ca href=\"#fn-51014-2FA\" class=\"jetpack-footnote\" title=\"Read footnote.\"\u003e3\u003c/a\u003e.\n\nSo, should I change my password?\n\nTo understand this, it's worth considering the risks - both of action and inaction.\n\nChanging a password isn't without risk.\u003cli\u003ePerhaps some long-forgotten app or service relies on that password. If I change it, what will break?\u003c/li\u003e\u003cli\u003eDo I trust my password manager to give me a strong password?\u003c/li\u003e\u003cli\u003eWhat if the original email is a phishing attempt and I end up giving the baddies my credentials?\u003c/li\u003e\u003cli\u003eCan I be bothered spending the time maintaining this old account?\u003c/li\u003e\n\nAs for the risk of inaction.\u003cli\u003eUsing my details, a miscreant \u003cem\u003emight\u003c/em\u003e convince WordPress to disable MFA on my account. \u003c/li\u003e\u003cli\u003eIf there was a breach, my MFA seed secret might also have been stolen.\u003c/li\u003e\n\nOn balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much *urgency* in doing so.\u003cli\u003eA strong and unique password means there is no risk of collateral damage to other accounts.\u003c/li\u003e\u003cli\u003eThe use of MFA adds an extra layer of protection which buys you time.\u003c/li\u003e\n\nThankfully, we've moved on from the outdated advice to [regularly change your password](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry ). Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…\n\nThe future ain't what it used to be!\u003cli id=\"fn-51014-password\"\u003eIt was \u003ccode\u003ew@\u0026amp;7%GUznK#9^}\u0026lt;S5\u003c/code\u003e if you must know.\u0026nbsp;\u003ca href=\"#fnref-51014-password\" title=\"Return to main content.\"\u003e↩\u003c/a\u003e\u003c/li\u003e\u003cli id=\"fn-51014-OF\"\u003eLots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge?\u0026nbsp;\u003ca href=\"#fnref-51014-OF\" title=\"Return to main content.\"\u003e↩\u003c/a\u003e\u003c/li\u003e\u003cli id=\"fn-51014-2FA\"\u003eIt is currently \u003ccode\u003e194 685\u003c/code\u003e.\u0026nbsp;\u003ca href=\"#fnref-51014-2FA\" title=\"Return to main content.\"\u003e↩\u003c/a\u003e\u003c/li\u003e\n\n\nhttps://shkspr.mobi/blog/2024/07/password-resets-in-an-age-of-mfa/\n\n#2fa #CyberSecurity #MFA #passwords #totp",
"sig": "f6eed6164f14264e29e17ff4adea543fe588c23a14d2850b1194f933b2a15029ca8919ee5b5559c86bf1797e8e0abb37e894bf35d0540cac95c2c7ca78f7e992"
}