Your Password is a Broken Gate

I was sitting in a Gbagada workstation yesterday, sipping some lukewarm coffee and watching a guy across from me lose his mind because his Instagram got "hacked." He kept shouting about how he had a strong password. Bro, it’s 2026. A strong password is like a heavy padlock on a cardboard door—it looks good, but it won't stop anyone who actually wants to get in.

If you’re still moving through the internet with just a username and password, you’re basically asking for Sapa-level premium tears. Credential stuffing isn't just a fancy term; it's what happens when some random site you used three years ago leaks your data, and suddenly, someone in a different timezone is trying that same password on your GTBank app.

The SMS Mirage

Most of us in Nigeria default to SMS for two-factor authentication (2FA). It feels natural because we’re used to OTPs for every single transfer. But here’s the thing: SMS is the weakest link in the chain.

I’ve seen too many stories of SIM swap scams where someone manages to clone your line and intercepts all those "secure" codes while you're wondering why your signal bars disappeared. If you're serious about your digital life—especially your primary email that literally holds the keys to everything else—you need to stop relying on your telco for security.

The "No Gree for Anybody" Security Model

As a dev, I’m always pushing people toward authenticator apps like Google Authenticator or Authy. The code stays on your device. It’s not flying through the airwaves where some malicious actor can grab it. It’s local. It’s punchy. It works even when your network provider is doing their usual "no service" dance in the middle of a rainy morning in Jos.

Yes, it’s an extra step. Yes, it’s annoying to pull out your phone every time you log in to a new browser. But the friction of typing a six-digit code is nothing compared to the friction of explaining to your village people why you’re begging for 2k on your hacked Facebook profile.

Don't Lock Yourself Out

The biggest fear I hear from people is, "What if I lose my phone?"

This is where everyone misses the mark. When you set up 2FA, these platforms give you backup codes. Most people just click "Next" without looking. Don’t do that. Treat those codes like your original birth certificate. Print them out, save them in an encrypted vault, or hide them in that one dusty file where you keep your WAEC result.

Real Talk for Builders

If you’re building products for the Nigerian market, stop making 2FA an afterthought. We need to design for a user base that is both tech-savvy and perpetually distracted by the chaos of daily life. Make the 2FA flow smooth. Use "trusted devices" so people don't have to verify every five minutes, but force it for the big stuff—password changes, withdrawals, or new logins.

Cybersecurity doesn't have to be some high-level mystery. It’s just about being more difficult to rob than the person next to you. Switch to an app, save your backup codes, and for the love of everything, stop reusing that one password you created in 2015.

Anyway, my code is finally compiling. Stay safe out there.