In October 2022, an article titled "Why (almost) everything we told you about passwords was wrong" was published, highlighting how much of the advice given about passwords over the years is misguided, counterproductive, or simply wrong. Researchers have found that the most common type of password attack is credential stuffing, where stolen passwords are reused, and password spraying, where criminals use simple passwords on multiple computers. Strong, long, and complicated passwords are almost never effective in real-world situations.
Offline password guessing attacks are rare, and while strong passwords may help in these situations, they are difficult for people to remember and lead to password reuse. The solution is two-factor authentication (2FA), which can defeat credential stuffing, password spraying, and other attacks. 2FA requires users to do two different things to prove their identity when logging in, such as typing a password and inputting a code received from a phone. While 2FA is widely supported by popular websites and apps, it is not mandatory in many cases. The article urges readers to set up 2FA wherever possible to ensure their security and reduce vulnerability to attacks.