top | item 18944207

(no title)

SpaethCo | 7 years ago

In all honesty, it's probably not worth worrying about. The implementation of 2FA you're referring to here is just adding a 2nd secret, with a small twist of having time component.

There are very few scenarios where your (high entropy) password would be compromised in a way that wouldn't also lead to the discovery of at least 1 functional 2FA code.

1) Website is breached. If they can get the account password hashes, chances are they're going to get the TOTP seeds as well.

2) You're phished. Your attacker passes through your credentials (scraping the password along the way), and they get a functional session token. With most services, you can turn off 2FA just by reconfirming the account password.

3) Your password manager is breached. 'nuff said.

The push behind 2FA isn't so much because high entropy passwords are vulnerable (except in a phishing context, but there TOTP is equally vulnerable) -- the momentum behind 2FA is because we can't convince people to stop using '123456' as a password.

discuss

yingw787|7 years ago

I’ve been robbed six times, including once where one third of my money disappeared. I agree with you that security is only as strong as its weakest link. I just take emotional comfort in doing everything I can to make myself more prickly and less vulnerable.

kerng|7 years ago

Thats scary. If you have been robbed six times, your operational security is probably pretty weak. Unless you are some kind of high value asset.

Would be curious to learn more about how it happened, to see if there are any learnings for myself to improve operational security.