Owl's Roost

Why Password Managers and MFA Matter

"Use a password manager and turn on Multi-Factor Authentication (MFA)."

This advice is often shared without much justification behind it. I wouldn't expect anyone to go through the time and effort needed to install a program and load all of their passwords into it without understanding why that's important, so it always bugs me to see folks say "it's more secure" without explaining why that's true.

Password managers are great because...

Simple passwords suck.

People tend to choose terrible passwords. This isn't anyone's fault- it's more that we all struggle to remember a set of arbitrary numbers and letters. It's easier to pick something memorable. Maybe your password is your kid's name and their date of birth. Maybe it's a word plus some numbers tacked onto the end. If you're adventurous, maybe you tacked an @ sign onto the end as well. I can't blame anyone for choosing a password like that. "Michelle1984" is much more memorable than "{jF-`5s60'Ambd", and forgetting a password makes getting into your own account a hassle.

The problem is this: "Michelle1984" is really easy to guess. Want to know how easy? I chucked it through a hash calculator[1] to simulate how passwords are usually stored[2][3], then shoved the results into a free hash cracking site. I clicked the "go" button. "Michelle1984" was cracked instantly. Worse still, it's been cracked at least 70 times before in real breaches. If this were your password, you'd be screwed.

Even if this password had never been used before, it would still be easy to crack. One way people try to crack passwords is through a masking attack. People tend to make passwords in predictable ways: a word, then some numbers, then maybe a symbol. Instead of trying every single possible password, attackers can try passwords that match that pattern. This makes it much, much faster to crack passwords. An attacker can often get through hundreds or thousands of simple passwords in just a few hours.

Long passwords suck.

Okay, so simple passwords are a bad idea. Unfortunately, long passwords aren't always enough to protect you either. Many people reuse their passwords for multiple sites. These might be wonderful, secure passwords that are hard to guess. Unfortunately, a security breach at any one of those sites means that any other accounts using that lovely password are now at risk. Attackers often try cracked credentials on other sites to see if they work (this is called "credential stuffing"). This is why password reuse is a problem. Even if your password is foolproof, it can still be cracked with a little effort. Using different passwords for different sites limits any damage should a site be "hacked".

As computers get more powerful, cracking passwords gets easier. This means that passwords need to be longer and more complex to slow down cracking efforts. Unfortunately, no one wants to remember a 20+ character password, and if it can be remembered, then it's probably predictable enough to crack. The average person is not going to come up with something that's truly secure.

All of this makes it almost impossible to use strong passwords. If everyone needs to remember a long, random string of characters for every single account they have, then almost no one is going to put in the effort. It's just too hard for anyone to remember that many random symbols.

Password managers make everything suck less.

Luckily, password managers exist to make secure passwords more practical. Password managers are software that can remember your passwords for you, letting you use long and random passwords without fear of forgetting them. They'll even enter them into login fields for you- no need to type things in! You only need to remember one strong password to unlock all your other, even stronger passwords. This makes it very easy to use different passwords for every site.

Many password managers make it as simple as possible to start using them. As you use websites and log into accounts, you might be asked if you'd like to store that password in the password manager. You can also enter in your passwords manually. If your passwords aren't very strong, it's a good idea to manually change them and update any entries in your password manager (which can often generate a strong password for you if needed).

If you're worried about logging into multiple devices, online password managers are the way to go. 1Password, Bitwarden Vault, and similar services sync your passwords between multiple devices, making it easy to login without moving any files around. They're easy to install and use. If you want to be as safe as possible, though, you'll want to use a local-only password manager like KeePassXC. These password managers store your passwords only on your own computer. This means that there's no central server somewhere hosting your passwords[4]. You'll have to sync your passwords between devices manually, though, so it may not be worth the hassle if you're comfortable trusting someone else's servers.

Multi-Factor Authentication is great because...

MFA is getting easier and more secure.

You've probably used MFA before. If a website has ever texted you a security code, then you've used one form of MFA. Text messages are weaker than other forms of MFA[5] and a little annoying at times, but they're much better than nothing.

There are even easier ways to set up MFA now. One option is authenticator apps such as Authy. These apps constantly generate codes. When you're asked to use MFA, you can just enter in one of these codes- no need to check your email[6] or figure out where that MFA text ended up. Biometrics are another form of MFA that are becoming more common. Those can still be stolen, but that requires physical access to you in many cases. If someone is stealing your fingerprints or face ID, then you have other problems on your hands.

Another up-and-coming option is hardware security keys. These usually look like fancy USB sticks, and plugging them into your device is enough to authenticate you. There's no need to type in a code or check an app; just chuck the key in a port and you're good to go. It's also very hard to fake one of these. An attacker would have to get their hands on a physical object to break into your account, and that means they'd have to be near you. Most attackers won't be near you (unless you've made enemies, in which case MFA is the least of your worries). Hardware keys are a bit pricy and not the best-supported option at the moment, but they're becoming a better choice as time goes on. Check that they're supported if you want to use these somewhere.

Some sites store their passwords in insecure ways.

Using strong passwords still isn't enough in some cases. Sometimes, a company will store their passwords in an insecure way. They might store them as plaintext or use a very weak hash. If they get "hacked", then your complicated, hard-to-crack password doesn't need cracking in the first place. Your account is compromised. The solution to this is Multi-Factor Authentication, which asks you to give more information than just your password. If an attacker gets ahold of your password, then they still need to get more information to get into your account.

If a password is meant to prevent just anyone from getting into your account, MFA is meant to prevent someone who has your password from getting into your account. It's your last-ditch defense in the event of a breach or password leak, and it's much harder to circumvent than a password is.

Some hackers are smart.

There are a lot of ways for a "hacker" to get your password, and some are very subtle. Some attacks rely on social engineering, which is a fancy way of saying "tricking you into giving up the information willingly". You might get a phone call from your bank, only to learn that it wasn't actually your bank. Emails or malicious browser extensions might redirect you to fake login pages that steal your information. Even if you do everything right, things can still go wrong and end with you giving your password to an attacker.

MFA stops that attacker from getting free access to your accounts. Even if you lose your password, you're still protected. It would take an attacker a lot of effort to get both your password and your MFA information, especially if you choose something that's hard to fake or intercept (more on that in a moment), so it's more likely that they'll move on to someone that's an easier target.


Use a password manager and turn on MFA. Both changes are quick, easy, and will save you a lot of pain when a breach inevitably happens. Being well-protected is often enough for an attacker to decide that you're not worth the effort. And hey, a password manager will save you some day-to-day typing if nothing else.


[1]: Passwords aren't usually stored as plaintext. They get put through a special one-way equation that stores them as gibberish. That gibberish is called a hash. When you enter your password into a site to log in, it's converted into a hash and checked against the hash you have stored. That way, if someone steals the password list, they won't know your password and can't get it from the gibberish.

[2]: In reality, it's usually a little more complicated than this (look up 'password salting'), but some less secure services may not do more than this quick hashing exercise.

[3]: For those looking to repeat this, snag the MD5 hash.

[4]: Trusting someone else's server is a risk. Online password management services are sometimes breached, potentially exposing many people's passwords. To breach a local manager, an attacker would need to compromise your personal computer, which is likely much less worthwhile than compromising a server with thousands of people's passwords on it.

[5]: To get that code, an attacker would have to intercept your text before it reaches you. This is targeted enough that only a really dedicated attacker would do it, but it is possible. This is why other methods of MFA are considered more secure than SMS-based MFA.

[6]: An attacker can compromise your email if that doesn't have MFA enabled, then use that to send password reset requests or MFA requests to themselves. Poof, there go your accounts.

Written .

Back to top