On Sat 14 May 2022 at 08:58:37 -0000, Curt wrote: > On 2022-05-14, Ash Joubert <a...@transient.nz> wrote: > > On 13/05/2022 12:23, Nicholas Geovanis wrote: > >> That's the value added in exchange for Ash's "massive pain in the arse". > >> Just making the 1st factor be > >> a loong password is not equivalent to 2FA in any way. Machine reaching back > >> to you is the difference. > > > > There are attacks that 2FA can defeat, especially things like password > > reset via compromised email server, but in general, two weak factors are > > not a match for a strong unique random password. In particular, it is > > not uncommon for sms/email/totp second factor to resolve to exactly the > > same device as the first factor, reducing 2FA to a single factor. > > Compromise such a user's phone and it is all over. > > What about data breaches, and sites keeping your password > in plain text (though it seems access to the cryptographically hashed > passcodes is already a pretty good leg up)? What good is our entropy then? > > https://en.wikipedia.org/wiki/List_of_data_breaches > > https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
The time to brute force a hash depends on password entropy. The second link is an interesting read, but I do not think evrything in a cracker's garden is rosy. One can only hope providers use decentt hashing techniques and keep data safe. -- Brian.
