Password Resets in an Age of MFA


Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity.

WordPress mandated that I change my password. But was that really necessary?

Firstly, the password was uniquely generated by my password manager0. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account1.

Secondly, and more importantly, I have 2FA app which provides me with a TOTP code every time I want to log in. Even if the evil ne'erdowells have my username and password, they can't get in without the MFA code2.

So, should I change my password?

To understand this, it's worth considering the risks - both of action and inaction.

Changing a password isn't without risk.

  • Perhaps some long-forgotten app or service relies on that password. If I change it, what will break?
  • Do I trust my password manager to give me a strong password?
  • What if the original email is a phishing attempt and I end up giving the baddies my credentials?
  • Can I be bothered spending the time maintaining this old account?

As for the risk of inaction.

  • Using my details, a miscreant might convince WordPress to disable MFA on my account.
  • If there was a breach, my MFA seed secret might also have been stolen.

On balance… yeah, obviously I should change my password. It is a 30 second job with a decent password manager. But, I might argue, there isn't much urgency in doing so.

  • A strong and unique password means there is no risk of collateral damage to other accounts.
  • The use of MFA adds an extra layer of protection which buys you time.

Thankfully, we've moved on from the outdated advice to regularly change your password. Now we only have to change them when there's been a breach. Which, coincidentally, is every 30 days…

The future ain't what it used to be!


  1. It was w@&7%GUznK#9^}<S5 if you must know. ↩︎

  2. Lots of weirdos want to buy videos of me recompiling Linux while in my pants. Who am I to judge? ↩︎

  3. It is currently 194 685↩︎


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “Password Resets in an Age of MFA”

  1. said on indieweb.social:

    @Edent

    NIST guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html#sec5) provide valuable information on best practices for password management and security.

    A memorised secret (password) should only be changed when it is no longer a secret. In this case, since WordPress.com is not verifier compromise-resistant, I would change my password.

    NOTE: WordPress is an open-source content management system (CMS), while WordPress.com is a managed service from Automattic.

    #infosec infosec NIST Special Publication 800-63B

    Reply | Reply to original comment on indieweb.social

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">