Re: google account say it will no longer deliver email
On 2022-05-14, Ash Joubert <ash@transient.nz> wrote:
> On 13/05/2022 12:23, Nicholas Geovanis wrote:
>> That's the value added in exchange for Ash's "massive pain in the arse".
>> Just making the 1st factor be
>> a loong password is not equivalent to 2FA in any way. Machine reaching back
>> to you is the difference.
>
> There are attacks that 2FA can defeat, especially things like password
> reset via compromised email server, but in general, two weak factors are
> not a match for a strong unique random password. In particular, it is
> not uncommon for sms/email/totp second factor to resolve to exactly the
> same device as the first factor, reducing 2FA to a single factor.
> Compromise such a user's phone and it is all over.
What about data breaches, and sites keeping your password
in plain text (though it seems access to the cryptographically hashed
passcodes is already a pretty good leg up)? What good is our entropy then?
https://en.wikipedia.org/wiki/List_of_data_breaches
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Reply to: