Should I activate 2FA on all my online accounts?

I have lots of online accounts and most of them are locked with strong passwords, which I stored in Bitwarden and KeepassXC. When I checked my password strength with an online password checker, like, it indicates that my passwords for all online accounts are strong and it would take a computer 34 thousand years to crack my password.

Will my accounts be hacked if I use strong passwords like being mentioned? Should I activate 2FA on all accounts? I activated 2FA on a few of my online accounts, but not all of them.

:x well …if there were a civilian hacker spying on your internet traffic then 2FA would make it harder for them to access your account, BUT…doing that requires you trust the company with your information (like a phone number or email account assuming its a personal account as businesses usually use a key-fob that generates a one-time random number as a 2nd password)…

and if there were a super creepy person spying on your network traffic… and if you use tor all the time…then they wont see your traffic anyway :smiley:

i personally never use it, but I use tor ALL the time ; that’s my choice :slight_smile:

someone worried about hackers hijacking their accounts would say yes
microsoft would say “of course!!”
someone hiding from the NSA would say “ugh…nahhh…”
i’m guessing an ex-facebook employee would prob say “ugh…i wouldnt :)”

ohhh… depending on the service… it may be possible to glitch the password reset feature if something is poorly programmed. those people should lose their jobs if that ever happens… just hypothetically :slight_smile:

1 Like

I don’t quite get this statement. Care to explain more?

But, if the website itself gets hacked, my account which was registered on the website will be hacked, whether I activated 2FA or not. So, the 2FA function becomes useless. Or did I miss something here?

By the way, I use unique passwords for all websites. Let say this forum gets hacked, the hacker will be able to get my email, password, and forum username but only for this forum. But he won’t be able to hack my other forum accounts, because I use unique usernames, passwords, and email aliases.

I’d say activate 2FA on all accounts that support it.

Credential stuffing is quite common, where hackers just try leaked email passwords to accounts for online services and vice versa. 2FA makes it quite hard (but not impossible) to hack your account and keeps away the kind of hackers that just spray and pray for victims.

Hardware tokens for 2FA is the preferred method (like Yubikey).

The next best thing is something like andOTP or Bitwarden but puting these two together in a single device is quite risky, so you may need to use a separate device for 2FA, preferably with a non-functioning Wifi and/or Bluetooth.

SMS 2FA is not recommended for US based cellular accounts because SIM swapping attack is quite rampant there. The merit of US based SMS 2FA and no 2FA is difficult to weigh sometimes and I leave it up to the user to decide the risk of using SMS 2FA.

1 Like

Should you? For all of your main, sensitive and/or important accounts and services, yes. For the others, also yes if you feel like.

If you store your passwords in a manager with an account system and cloud like BitWarden, use a mail that’s not obvious. Treat username/mail like an additional password. If I were using, I’m basically asking to be bruteforced in; if they have my password (key) but don’t know which of the many doors in the world it can open, I’m still quite safe.

For password strength, you don’t need to risk leaking it to check its security. Most password managers can generate passphrases and passwords, and check their strength for you.

Reminder that long passwords are better than gibberish of various character combos.
pueblo-motivate-till-luridness (1 nonillion years) or Although-Virus9-Issue-Lunchbox (3 hundred undecillion years) are stronger than $M2#MYM%u*55WvFt (1 trillion years) and infinitely easier and faster to type and remember without losing your mind.

Quite better than your 34 thousand years passwords, aren’t they?

Also, your account is only as strong as its weakest link. If the weak link is the server it’s hosted in… You can’t do much aside from making sure the password you used was unique (meaning no other account shared it for hackers to try recycling and hitting more of your stuff).

Strong passwords only help from the user side, not the server side (so long as they don’t store them in plain text or some dumb encryption method). All passwords hashed in MD5, SHA-1 or other main methods aren’t affected by complexity and length of the original passwords. Strong passwords are harder to crack than weak passwords without access to the server (guessing, bruteforce, etc).

So we come to 2 Factor / Multi-Factor Authentication. These systems greatly help with security in almost all situations (even on some server side situations, depending on how it’s implemented) because as you already know, it requires an additional check of your identity through a temporary extra password that is generated each time there’s a new login request.

Do mind that 2FA doesn’t protect from everything: phishing, man/machine in the middle attacks, malware, many of those are nowadays designed with 2FA in mind.

Also, SMS and email are the worst for 2FA. Try to avoid those.

1 Like

I don’t live in the US. So, I don’t use US SIM. Thanks for the tips anyway.

Yes, the ones I locked with 2FA are important accounts. But I don’t use it on forums or less important sites. It would be a hassle to unlock my phone just to log in to forums.

I don’t always check my password strength with securityorg because I don’t really trust the website. The one I used in this thread is an example, it is a password that I no longer use but I still have its history in KeepassXC. And most of my passwords are at least on this strength level, if not better. I mean, if a computer takes 34 thousand years to crack my password, I don’t think it is hackable and using 2FA only gives a slight advantage. Or did I miss something here?

I would use long passwords for all websites if I can. But most websites cannot accept passwords of more than 20 characters. The one I mentioned in this thread is a password for a less important website. I tried using a 25-character password for Paypal in the past, but in the end, the Paypal system rejected my password. I use longer passwords for Bitwarden and Protonmail though. Thanks for the tip anyway.

Brute forcing a proper online server should be easy to detect and block the relevant IP address to slow it down to impracticality.

No one practically cracks a password these days to gain online accounts. It requires having access to the server and requires exfiltrating the relevant databases. It also requires not tripping the intrusion detection system the whole time, which is quite hard.

Anyway, the point is security layering. The more secure features you have, the less interesting you are to casual hackers.

1 Like

I don’t like the idea of someone tracking my every move through my cell phone connected to an “anonymous” social network :crazy_face: