DEV Community


Discussion on: The Password Struggle

bradtaniguchi profile image
Brad • Edited

I believe multi-factor is pretty good if done securely. So sorry sms verifications aren't that secure.

If you have a titan security key, or something like the authentication app on your phone and a password, you have 2 factors to your authentication and are pretty secure. Google basically eliminated phishing attacks due to using company wide security keys. (ref)

I personally don't believe in the "Change your password every X" systems, as it makes it more likely to make bad passwords, or forget them, and in most security scenarios the weakest link is people.

If we wanted to take things a step further than "what you know" and "what you have" then you can go down the list of the following:

  1. What you know - passwords
  2. What you have - physical keys, wallets
  3. What you are - physical traits like fingerprints
  4. Where you are - your physical location, IP location, relative to your last location, etc
  5. Something you do - observable actions (this one isn't that common)


Logging in with another service doesn't necessarily mean they get my password, they do get a token that represents me but my password should be secured by 1 party. I try to login using the same account for this reason, as it should lessen my exposure of passwords out in the wild.

Finally, I wanted to bring up I remember reading there are ways to still prevent quantum computers from destroying our current security, but I totally forgot where I can find a reference for it. 🤔