top | item 36829480

(no title)

CyberRage | 2 years ago

It is not because:

1. TOTP is time based, after 30 seconds it means absolutely nothing, you cannot recreate the 'secret key' from that number

2. with TOTP everything is well-known. TOTP will usually generate a 6 digit 'secret', this makes managing it very predictable:

6 digits = 1,000,000 options(including all zeros) we can easily calculate a good security margin

like: 5 attempt - 5/1,000,000 = 0.000005% chance of success Very predictable security margin

for passwords it's a huge unknown, it entirely depends on the user password quality

discuss

krupan|2 years ago

While you are technically correct, you are missing the whole point of the blog post

CyberRage|2 years ago

Seems like a rant to me.

Passwords are used because they are convenient and intuitive.

Once you use a 'password manager' you basically have a glorified key generator/storer

We already have so many alternatives from GPG keys to FIDO/FIDO2 solutions

Security isn't always the first priority when running a website/app, it is the sad but honest truth(coming from security expert with over a decade of experience)