gives you two times more chance to breach.
Not if you are using passkeys or 2FA for all your admin/moderator accounts...which should be a requirement on any site.
How confident am I. Heck... as for how secure I'm in my site security measures... here's my admin login for the site. The username is Admin... the current password is Tr1ggerD0g (and no, this was set specific for my site and was set as a very easy one to "force")... bang away. Anyone of even 1/2 way ability can easily confirm the base login data.. but I seriously doubt the can get beyond that. In fact, once you hit the 2FA/Passkey option... you will most likely be dead in the water. If you get past that... please feel free to screen shot ACP specific data.
The password will be changed in about 3 or 4 days.
As for moderation, XF has the ability to "hide" the moderator taking action towards a user.. this way it gives the user an account to have contact with in case they need to.
And a nice thing... with use of security add-ons... one can monitor and then force a password change when they get alerts that accounts are "having issues"
I really wish that XF would set up so that Passkeys were built in, and could be selected as the ONLY option instead of 2FA and such.
One weakness in XF that I have found... the inability to "log" admin logins or attempts... it's a simple weakness in XF that they probably haven not even thought of, and I honestly have no desire to point out as the "sycophantic" actions over there. Even though some "cult members" would like to push that I excoriate an particular script... I am MORE than happy to call out any of them.