Why the best password security doesn't matter

You've built a rock-solid system. You use industry standard hashing (or better) - you salt your records and you ensure nothing is ever logged. It's built well and to specifications, according to many organizations. So why is this a problem?

It's not your security you need to be worried about. It's the countless other websites that have not built great security. The countless apps that don't hash or salt password records. Inferior code that logs and records passwords. But why are these systems, systems you have no control over and didn't build, why are these the problem?

Password re-use. Passwords get re-used across multiple sites. Users might alter and modify the password to some degree, but for the most part, all passwords for a user are usually the same for all apps and websites.

The systems that don't protect passwords like you do, they are the ones leaking your users passwords to the dark web, to the hackers, to the attackers. These systems are weak, vulnerable and ripe for attack. Once that password has been leaked, it's just a matter of time before it's used on your website or app and the account is taken over or worse.

What do you do then? If building the most secure password storage system can't protect you from attacks, what can be done? 2FA (2-Factor or 2nd Factor, or sometimes called MFA, Multi-Factor Authentication) is one option. This makes it so if the password is stolen, leaked or compromised in one way or another, that another factor of authentication is needed. Another option is going completely passwordless and not even storing or relying on a password in the first place.

Current 2FA methods are cumbersome and require shared secrets to still be stored someone, allowing it to be stolen. Worse, 2FA secrets can't be hashed like passwords, making 2FA secrets less secure than storing passwords. Auth Armor can enable 2FA without the use of hard-to-type codes and shared secrets.

Better yet is passwordless. With passwordless options, there is nothing to remember and nothing to forget for the user, and there is nothing to steal for the hackers. There is nothing to log for the developers. It's the perfect security model and the most secure model available today.