[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: google account say it will no longer deliver email



On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> On Sat 14 May 2022 at 12:02:49 -0000, Curt wrote:
> > On 2022-05-14, <tomas@tuxteam.de> wrote:
> > > On Sat, May 14, 2022 at 08:58:37AM -0000, Curt wrote:
> > >
> > > [...]
> > >
> > >> What about data breaches, and sites keeping your password
> > >> in plain text (though it seems access to the cryptographically hashed
> > >> passcodes is already a pretty good leg up)? What good is our entropy then?
> > >
> > > As stated elsewhere: unique passwords. Don't use a password you're using
> > > elsewhere. Much less so with a site you don't trust.
> > 
> > As always, I'm very uncertain where your goal posts are placed or what
> > tacit agenda you're following. No one has advocated the use of unique
> > passwords. 
> > 
> > In my plausible scenario, you're password entropy counts for nothing.
> > Your password, unique or otherwise, has been compromised. 2FA would
> > prevent illegal entry to your account in this case. The subject we're
> > addressing here is your assertion that 2FA adds no extra security. I
> > have demonstrated that it does.
> 
> Preventing data breaches are outside the scope of the user, providing
> a high entropy password is not. If accessing a  site is of importance
> to him, then, in your plausible scenario, an eight character password
> effectively gives little security.
> 
> That is not an argument for 2FA but for a user having a responsible
> password policy to guard agains such breaches.

Preventing data breaches might be outside my control, but mitigating
their effect might not be. So I like to have 2FA set up as entering
a code in response to a phone call. There's some peace of mind in my
/not/ receiving any of those calls unless /I/ try to login.

Were it to ring unexpectedly and I heard a woman with a crisp British
accent announce "Hello [pause] You have requested a code for logging
in to your account; the number is one three fave [sic] seven nine
nine; this code will expire in ten minutes", I would know something's
afoot, and I've got some urgent calls to make.

Cheers,
David.


Reply to: