One of the questions we often get from our users is definitely a tricky one to answer: “Should I opt for a strong password to protect my data or just pick an easy one and rely blindly on Two-Factor Authentication (2FA)?” We tried our best to crack this dilemma for you.
In our daily job as Myki creators, our main duty is to help people stay safe online, but we must also keep in mind the balance between security and convenience. Since no solution is perfect, helping a family member pick a strong password, for example, is often easier than trying to convince them to use something like 2FA. Despite being an additional layer of security, 2FA can seem difficult to understand and might deter some from using it in the first place.
Throughout our blog, you’ll notice that we, at Myki, mostly advocate using both: a strong password, coupled with a two-factor authentication method. The idea is that requiring two things — a password and a temporary PIN — in order to log in is more secure than only one.
Now let’s assess the two scenarios and weigh the pros and cons of each.
Weak Password with 2FA
Two-factor authentication (2FA), can come in many shapes and sizes with different levels of protection, and unfortunately, different levels of inconvenience as well. The majority of users consider SMS-based authentication a convenient form of 2FA, but to cybersecurity experts, it is flawed and not the most secure option.
Bear in mind that the best type of 2FA for you mostly depends on your personal needs, and is only as good as the level of security you’re capable of maintaining. This means that if you might accidentally give away a one-time authentication code or lose a physical token that could be stolen, then no 2FA method will save you from being hacked.
However, if you can stay alert and follow best practices, using two-factor authentication can be a great way to improve your personal and professional security with a fair dose of convenience. Not to mention the growing number of authenticator apps making it easier for you to do so with little additional effort, all through your smartphone, which is constantly with you anyway.
We hate to admit it, but it is what it is: a weak password + two-factor authentication might still be safer than a strong password alone. How come? Well if you use 2FA, your data is protected not only by the password but also with the second factor. Even if your weak password is cracked through brute force, a hacker would still not have access to your account due to the protection of the second factor.
Strong Password without 2FA
The importance of setting a strong password is something we are hammered with on the regular. We fill forms that tell us automatically how secure our chosen password is, we hear about it on the news, social media, and even read about it on cybersecurity blogs. We see it often in emails every few months reminding us that it’s time to update our password. So, you'd think that by now, most of us use strong passwords, right? WRONG! It’s just not the case, and it's quite likely that a weak password is one of the biggest vulnerabilities that exists in cybersecurity.
Now let’s suppose you do use a strong password and that you are relying solely on that to protect your data.
Despite the efficiency of 2FA, there are ways of defeating it. The most obvious of these is through a man-in-the-middle (MITM) attack, where a hacker manages to gain unauthorized access to your network, and starts capturing your data. This can occur if you have a weak password for your home WiFi, or if you’re using a public network such as the one at your favorite coffee shop. ANY WiFi network that you do not control, or is open to the public should be considered unsafe.
Another scenario, would be through exploiting vulnerabilities in IoT devices such as CCTV cameras or smart appliances that are connected to your home network.
Aside from MITM attacks, the easiest way for a hacker to gain access to your account would be through social engineering – spoofing your phone number and calling up the account provider, pretending to be you, for example. Someone pretending to be you could easily persuade a representative to “reset” your password and unfortunately, they would gladly oblige. This can’t be stopped by 2FA either.
Moreover, if your 2FA is “What is the name of your first pet?”, then someone can relatively easily find the answer! There are several variations to this. If someone manages to steal a company’s information, containing encrypted passwords and unencrypted information about the “second factor”, then they’re already halfway to breaking into your account.
To summarize, you still need a strong password, since you can’t always be sure that your “second factor” will protect you. You don't need to have the best password, but it has to be strong enough to ensure that a hacker won't find it in a dictionary, or in the lists of “most popular passwords” from previous breaches.
All in all, 2FA makes life much harder for attackers, as it is a lot more difficult to acquire both someone's password and full access to their mobile phone, or their password and their voice for authentication. Of course, the more complex your password is, the less likely it is that you will get hacked.
In turn, a weak password undermines the protection of your account and turns two factor authentication into one factor authentication. That’s why opting for the first scenario (weak-ass password + 2FA) will be less safe than the combination of a strong, complex password and 2FA. Yes, we insist!
And if you can’t bare the hassle of making sure every password of yours is complex yet different enough and contains the appropriate length of capital letters, special characters, numbers, and the blood of 3 virgins, you can use a password manager to do the job for you and make your life much easier. Like Myki for example.
Using Myki, you’ll be able to generate unique and complex passwords for every site you use. It can also be used as an authenticator that securely stores your 2FA tokens and automatically fills them in your browser when you need to login. Most importantly, you’ll be able to auto-fill your passwords so you don’t have to type them in yourself each time you need to log in to one of your accounts.