Strong Passwords and MFA
Reusing one password everywhere feels convenient — until one site is breached. Learn the safer way.
The scenario
Sara uses the same password — "Sara2019!" — for her email, her bank, and a small shopping website she joined last year. One day she reads in the news that the shopping website was hacked and millions of passwords were stolen. A week later she cannot log in to her email: someone changed her password and is sending messages from her account.
The attackers did not need to hack her email directly. They took the leaked password from the shopping site and simply tried it on her email — a technique called "credential stuffing." Because Sara reused the same password, one breach unlocked everything.
The attackers did not need to hack her email directly. They took the leaked password from the shopping site and simply tried it on her email — a technique called "credential stuffing." Because Sara reused the same password, one breach unlocked everything.
What to learn
Two habits would have protected Sara:
1) Unique passwords for every account. If one site leaks, the damage stops there. A password manager makes this practical — you only remember one strong master password and it generates the rest.
2) Multi-factor authentication (MFA). Even if an attacker has your password, MFA asks for a second proof — a code from an app or a hardware key — that the attacker does not have. App-based or hardware MFA is stronger than SMS codes, which can be intercepted.
Also prefer long passphrases (e.g. four random words) over short complex strings: length beats complexity for resisting guessing.
1) Unique passwords for every account. If one site leaks, the damage stops there. A password manager makes this practical — you only remember one strong master password and it generates the rest.
2) Multi-factor authentication (MFA). Even if an attacker has your password, MFA asks for a second proof — a code from an app or a hardware key — that the attacker does not have. App-based or hardware MFA is stronger than SMS codes, which can be intercepted.
Also prefer long passphrases (e.g. four random words) over short complex strings: length beats complexity for resisting guessing.