While headlines celebrating (or bemoaning) the “death” of the password will continue to garner clicks, the reality is that the labyrinth of password complexity requirements and expirations will be around for a while.
The problem is that even with those debatably counterproductive complexities, credentials will still leak out. Users will reuse the one good password they came up with four years ago, and bad actors will continue to gain entrance invited only by that same poor security hygiene. 80% of all security breaches originate with compromised credentials. I encourage anyone who assumes they’re safe to run their email address through a tool like https://haveibeenpwned.com to discover whether or not they’ve already got credentials floating around in the dark corners of the web.
So what’s the next step in this game of
If Multi-Factor Authentication is available on a given tool, please use it. Please do not opt-out of it.
The idea is that even if an attacker has obtained your username and password, this second level of protection renders that information useless unless they have your phone (or your fingertip, or face, etc). Whether you receive that little code as a text message, an email, or use a generator such as Google Authenticator, or Authy, it could save you a substantial amount of time and even money. In addition to these MFA methods, some tools (including those built by Cascade) offer support for hardware tokens like Yubikey or Google's Titan Security Keys. These are often considered superior to methods like email and SMS since they can be compromised by a determined attacker determined.
If you're curious about the security on your site or want more information about our security, please reach out to firstname.lastname@example.org.