Everyone hates having to remember long passwords. As time has gone on, passwords have had to get longer. We started adding complexity. We started forcing regular password resets. We started preventing passwords from being reused. And the latest trend is multi-factor authentication. So why is all this necessary?
Attackers have tools that can brute force passwords. These tools goes through every password combination possible. The shorter the password, the faster password tool will be able to guess your password. As computing power increases, things that would have taken a long time to crack, take less and less time to crack. The longer the password, the more tries it will take to break it. There are password crackers that use dictionary words. That's why we we became forced to do the symbols and numbers and other complexity items. It makes it harder to guess. Why do we get locked out of our accounts ? If an attacker can only get a few tries, it gets harder for the tool to hack the password. Why can't we reuse passwords? Attackers have been known to take comprise credentials in one system and try them in other systems. Some organizations use security questions for password resets. But people often overshare in social media and password questions may be easily guessable by perusing far to often wide open social media accounts. The ability for passwords to be guessed is only going to continue to grow with machine learning and AI.
Multi-factor authentication has become important. A password is guessable or hackable. Multi-factor means multiple unrelated systems have to be compromised at the same time. A password is something you know. The other factors for authentication are something you have or something that you are. Multi-factor authentication keeps the something you know but adds something you have such as an external email or text verification or something you are such as bio-metrics like finger prints. It adds to the difficulty and makes things that much harder for an attacker to be successful. However, in some instances it can be frustrating and annoying for the users. Cyber is a balance of risk. Multi-factor should be used as much as possible where the risk warrants it.