> Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.

This is only ever a problem if your password is reused. Don't reuse passwords and if some website is hacked and they were storing your password in plaintext you just have to reset your password (the same way everyone else does, 2FA or not)

> This is only ever a problem if your password is reused

That is the context of the reply, although I think they misread the article.

Also don't re-use email addresses.

The larger problem is when your password gets hacked for whatever reason that the MFA protects your account.

Anyone else here had friends have their say Instagram account hacked, none ever have MFA on and it causes great distress.

MFA IS a good idea for multiple reasons.

MFA is bad idea for as many reasons if not more: complexity of implementation, variety, digital sovereignty... to name a few.

the weird thing is:

- if you use 1password (an example), then you're generating a bunch of random and unique passwords for every site - questions to verify you as a 2fa tends to be less secure since you tend to make simple answers for those. And they're not convenient to enter into 2fa apps. - 2fa apps are typically great ways to guarantee one bit of randomness into the process

I use the same app for most 2fa and the passwords themselves (Bitwarden). It makes the 2FA slightly weaker being in the same app, but infinitely more useful. It does bug me that they (Bitwarden) as a service want me to use 2FA for first logins, which makes it harder to access. My master passphrase is long, unique and only on their app/site.

Master password that you share with a third party?

I probably do not understand how Bitwarden works, but this feels wrong anyway.

If trust issues and paranoia are sufficient, you can definitely self-host the server portion of the application, and many do. ;-)

Bitwarden is open-source enough to where all functionality can be self-hosted and run on one's own and reviewed. IIRC, there are a couple of non-floss modules for the commercial release in different directories under source control iirc... Some are more purist than others.

While true... this is less of an issue if the breached database includes strongly encrypted passwords with individual salts. At least half of them are going to be part of existing breaches, but you aren't going to bother with the rest as it can/will take an exponential amount of time if they are treated properly, leaving top's password safe(ish).

So I am supposed to trust that the random forum I have to sign up for to view the solution of a question securely hashes the password I send them?

That’s pretty much like handing you car keys to a random person on the street and be confident they will take it to the bank and put it in a locker.

Why do you care? It's not like you use the same password for everything right?

I don’t, but the people we try collectively to protect do. That’s why we have 2FA and Passkeys in the first place, because most people will not conform to security best practices

Passwords can leak in many ways other than database breaches. Malicious front-end code and accidental logging that goes to a public place like an S3 bucket are two examples.

It's also less of an issue if the passwords never get leaked at all. The question is how much of a bet you're willing to make on the security practices of all of the sites where you have an account following this practice, and at least to me it doesn't seem like a smart.

I could not agree more with this comment. OP entirely misses the point of 2FA. I sleep so much better at night knowing that I have different passwords for every account, and 2FA where possible. One should not write about 2FA when one uses the same "uncrackable" password everywhere...

Maybe I missed it (it's early and I haven't even had coffee yet) but where did the author say they resued the same password over multiple sites?

You’d think so. But over and over plain text leaks of passwords is the practical reality of the modern internet. A disgruntled staff member, poor tech practices or someone working out a way to get in and get access.

The https://haveibeenpwned.com/ project regularly shares new breached datasets. Reusing passwords across websites without MFA is just not not not recommended in 2025.

"Generally", sure. How do you guarantee every service you've ever signed up for uses proper salting and hashing though? All it takes is one for your entire security model to go down the drain.