On 2024-08-28 at 12:03 -0700, Brandon Long wrote: > On Mon, Aug 26, 2024 at 10:35 PM Viktor Dukhovni wrote: > > It is a sad state of affairs that no opt-out is available for users > > who manage strong per-site passwords, and prize long-term > > availability over often dubious security advantages of said 2nd- > > factors. > > For one, having your account hijacked doesn't just affect your > account, such accounts are used for various nefarious purposes, > including fraud and spam. > So, you can't just say "I don't care if my account is hijacked". > > Password strength is also useless against a number of hijacking > mechanisms. > > On top of that, if you make such an opt-out available, the people > using it are not going to be the people who have a level of know-how > to even come close to being safe. > I'd also say that maybe the folks who might have that level of opsec > are actually more paranoid about using 2FA. > > Brandon
The use case brought up by Viktor would be solved if the provider (Google here), had a "Create a random password that I can save into my password manager" option, that made an overly long and random password for the user. That wouldn't help when the user machine is compromised and the steals all the credentials from the browser, though. Albeit that's such an unwinnable scenario, it may not be worth trying to protect from. Regards _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
