MFA matters
2FA/MFA is when you authenticate through multiple devices
Why 2FA or multi factor and strong passwords actually matter
Author: Brett & Tibbe
Category: webadmin
Published: 2026-02-19
Security isn't paranoia when the consequences are real. Here's why two-factor authentication and password managers are worth the minor inconvenience.
"Use a different password for every site."
"Enable two-factor authentication everywhere."
Security advice sounds like paranoid overkill until someone steals your stuff.
What actually happens when you get hacked
It's not dramatic like the movies. No hoodie-wearing hackers targeting you personally.
Here's the boring reality:
Some website gets breached (happens daily)
Your password is in the dump (along with millions of others)
Bots try that password everywhere (automated, no human involved)
They get into accounts where you reused it (the real damage begins)
Suddenly they're in your email, your bank, your social media, your work systems.
All because you used "password123" on a recipe site that got hacked.
Sassy strong sasswords matter
"123456" is still the most popular password. Seriously. Or qwerty... like the keyboard.
Hackers don't guess passwords one by one. They use lists of millions of compromised passwords and try them all at once.
Your password doesn't need to be unguessable by humans. It needs to not be in the "top 10 million passwords people actually use" database.
Good passwords are:
Long: 12+ characters beats clever
Unique: Different for every important account
Random: Not based on personal info or a dictionary word
Example of a strong password:correct-horse-ba77ery-staple-92
Easy to remember, impossible to guess, long enough to resist brute force attacks.
Make password managers your security superpower
"I can't remember 50 different passwords."
You don't have to. That's what password managers are for.
How they work:
Generate random passwords for every site
Store them encrypted behind one master password
Fill them automatically when you log in
Sync across all your devices securely
Popular options:
1Password: Great for families and teams (not free)
Bitwarden: Open source, free version available
LastPass: Widely used, though they've had some breaches
Yes, putting "all your eggs in one basket" feels scary. But the basket is heavily encrypted and protected.
Much safer than using "password123" everywhere.
Two-factor authentication is your safety net
Even with strong passwords, websites get breached. 2FA is your backup plan.
How 2FA works:
You enter your password
The site asks for a second factor
You provide it (code from phone, fingerprint, etc.)
Both factors required = much harder to hack
Hackers might have your password, but they probably don't have your phone.
Types of two-factor auth
SMS codes (text messages):
Better than nothing
Can be intercepted by determined attackers
Works on any phone
Authenticator apps (Google Authenticator, Authy):
More secure than SMS
Works offline
Slightly more setup work
Hardware keys (YubiKey, etc.):
Most secure option
Nearly impossible to phish
Costs money, easy to lose (then you're f*kt)
Biometrics (fingerprint, face):
Convenient for personal devices
Can't be changed if compromised
Built into most modern phones
Where 2FA matters most
Don't enable 2FA everywhere at once. Start with accounts important to you:
Critical accounts:
Email: Gateway to everything else
Banking/finance: Direct access to money
Work systems: Your livelihood
Password manager: Keys to the kingdom
Important accounts:
Social media: Identity and reputation
Cloud storage: Personal files and photos
Shopping: Payment methods saved
Skip 2FA for:
Accounts with no sensitive data
Sites you rarely use
Accounts you can afford to lose
Convenience vs security trade-off
Yes, security adds friction. But so does getting hacked.
5 seconds for 2FA vs 5 hours dealing with compromised accounts
Choose your inconvenience.
Common excuses
"I have nothing worth stealing."
Your email gives access to password resets for everything else. Your social media can be used for scams targeting your friends. Their ass is your responsibility! Your accounts have value even if you don't see it.
"It's too much work."
Setting up 2FA takes 2 minutes per account. Recovering from a hack takes days or weeks, if you even can.
"What if I lose my phone?"
Most 2FA systems provide backup codes. Write them down. Store them safely. Problem solved.
"Companies should just build better security."
They should. They don't always. You still need to protect yourself.
Getting started: The 15-minute security upgrade
Week 1: Install a password manager
Week 2: Change your most important passwords (email, banking)
Week 3: Enable 2FA on critical accounts
Month 2: Gradually update less critical accounts
Don't try to secure everything at once. Build habits gradually. With some services, like Proton, you get unlimited email aliases, VPN for peanuts.
When security goes wrong
We've seen security paranoia hurt people:
Passwords so complex they write them down and keep them under the keyboard at work.
2FA codes they can't access when traveling. Got robbed? Sleep outside the embassy tonight.
So many security layers they lock themselves out. The third time they give up and reinstall "12345".
Balance is key: Secure enough to prevent common attacks, simple enough to actually use.
The real threat model
You're not protecting against nation-state actors or elite hackers. They want bigger fish.
You're protecting against:
Automated bots trying stolen passwords
Data breaches exposing your info
Scammers using social engineering
Opportunistic criminals
Strong passwords and 2FA stop 99% of these attacks.
Why we enforce this at work
As web developers, we've seen the aftermath of preventable breaches:
Clients losing customer data
Websites defaced or held for ransom
Business operations shut down for weeks
Legal liability and reputation damage
If you are losing money by the minute because of a hack, your wallet and sanity will suffer. For us to prioritize you, we need to reschedule everything. That costs us. You get the picture.
The minor inconvenience of good security practices prevents most of these disasters.
Protect yourself like your business depends on it. Because it probably does.