Does Two Factor Authentication Protect Weak Passwords?

password securityTwo factor authentication has become ever more common as a means of adding an extra layer of security over access to valuable personal or professional databases online or offline.  Most TFA works on the basic premise that if instead of just relying on a single password, you need a password and a second, separate authentication key before you can access data, the chances that third party intruders will be able to intrude is much smaller.

Usually, when it comes to most commonly used TFA systems like those with social media, email and cloud storage, we as users get prompted to hand over our regular password and then are prompted to receive a text message to our already signed up mobile phone number where a predetermined access key has been sent; this key will change for each login attempt.

While pre-TFA access security depended heavily on the non-guessability and entropy of long passwords, what makes this two factor system so powerful is that it dramatically raises the difficulty of hacking a secured account by creating two totally distinct layers of access protection. Intruders can no longer just count on guessing your single password, they now would also have to either steal or clone your phone too.

Thus, the question gets begged:  Since we as users now have such a powerful extra intrusion barrier in place to stop hackers, do we need to keep bothering with all the hassle of still maintaining long and sometimes hard to remember passwords? In other words, with TFA implemented onto your online accounts, do long passwords still even matter too much?

The answer to both questions is a clear and obvious yes but with certain very crucial caveats.

Absolute Security

In absolute terms, every additional security measure that you implement onto your web connected secured data (information such as the stuff you’re storing in your Gmail account, Google Drive box, DropBox cloud storage account etc) will improve the strength of your protection. Thus, even if you’re using a two factor authentication from a company like Authentify, a highly randomized 16 character password with a possible search space of 1030 possibilities is in relative terms much more secure than a regular 8 character password with trillions fewer possible combinations.

With passwords such as these, a hacker who wanted your data in their hands would have to somehow first hack your service provider (and get through all of their corporate security measures) in order to find your hashed password amongst millions of others stored in those company servers. Then they would have to brute force a monstrously long list of possible key combinations for your password.

And then, after they have done all of the above just to crack your long password, they would also have to find some way to circumvent your second factor, which would probably involve your phone. Doing this could involve stealing the phone itself, or possibly cloning it, or using contacts inside the telecom that runs your mobile contract to reassign your number to another hacker at a crucial moment so that your SMS TFA access key can be received.

Thus as you can see, in these sorts of mathematical and elaborate functional terms, the extra security of a strong password and a TFA system together is much greater. However, this is where some caveats come into play

Realistic Attack Probability

For one thing, unless you’re the head of some major government agency or maybe a corporate CEO with multibillion dollar trade secrets buried in your data, nobody’s going to go through any of the above efforts to hack your TFA/strong password protected accounts. And even if your data were so valuable that it’s worth attacking with such effort, then you certainly wouldn’t want to leave it inside Gmail or DropBox servers to begin with.

Realistically, as an average user, you only need to worry about enough security to make yourself less of a target than the average user. Hackers by and large go for volume attacks and most intrusions into individual accounts are just small parts of much broader hacks of entire servers. These kinds of mass hacks have repeatedly happened to Google, Twitter, LinkedIn and many other major online data providers.

Thus, simply by even implementing TFA and combining it with a fairly decent 8 character password instead of some hard to remember 20 character monster, you’ll be utilizing a level of personal data security that puts you well above the massively overwhelming majority of service users, who never even so much as glance at their TFA options and who use passwords such as the name of their hometown or pet names like “kittycat” and “fluffy”. These will be the far more likely targets of any interested hackers.

The Bottom Line

However, if you are still worried that maybe somebody could target you out of financial motives or for some other more complicated reason then, in order to be more secure, go right ahead and use strong passwords. In practical terms, there is little difference between a decent 8 character password and its 16 character counterpart if both are combined with TFA and intelligent all around security protocols, but if being extra cautious makes you feel safer, more power to you.

Just remember to be smart on the practical stuff. Your 16 character password is not that useful if you’re doing silly things like leaving your online accounts logged in even after you leave your computer, or accessing an online TFA protected account right from the same phone where the second factor is sent to (thus totally nullifying the TFA value of your protection).

Stephan Jukic is a freelance writer who generally covers a variety of subjects relating to the latest changes in white hat SEO, mobile technology, marketing tech and digital security. He also loves to read and write about location-free business, portable business management and finance. When not busy writing or consulting on technology and digital security, he spends his days enjoying life’s adventures either in Canada or Mexico. Connect with Stephan on Google+ and LinkedIn.