[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: google account say it will no longer deliver email

On Sun 15 May 2022 at 22:39:14 -0500, David Wright wrote:

> On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> > On Sat 14 May 2022 at 12:02:49 -0000, Curt wrote:
> > > On 2022-05-14, <tomas@tuxteam.de> wrote:
> > > > On Sat, May 14, 2022 at 08:58:37AM -0000, Curt wrote:
> > > >
> > > > [...]
> > > >
> > > >> What about data breaches, and sites keeping your password
> > > >> in plain text (though it seems access to the cryptographically hashed
> > > >> passcodes is already a pretty good leg up)? What good is our entropy then?
> > > >
> > > > As stated elsewhere: unique passwords. Don't use a password you're using
> > > > elsewhere. Much less so with a site you don't trust.
> > > 
> > > As always, I'm very uncertain where your goal posts are placed or what
> > > tacit agenda you're following. No one has advocated the use of unique
> > > passwords. 
> > > 
> > > In my plausible scenario, you're password entropy counts for nothing.
> > > Your password, unique or otherwise, has been compromised. 2FA would
> > > prevent illegal entry to your account in this case. The subject we're
> > > addressing here is your assertion that 2FA adds no extra security. I
> > > have demonstrated that it does.
> > 
> > Preventing data breaches are outside the scope of the user, providing
> > a high entropy password is not. If accessing a  site is of importance
> > to him, then, in your plausible scenario, an eight character password
> > effectively gives little security.
> > 
> > That is not an argument for 2FA but for a user having a responsible
> > password policy to guard agains such breaches.
> 
> Preventing data breaches might be outside my control, but mitigating
> their effect might not be. So I like to have 2FA set up as entering
> a code in response to a phone call. There's some peace of mind in my
> /not/ receiving any of those calls unless /I/ try to login.
> 
> Were it to ring unexpectedly and I heard a woman with a crisp British
> accent announce "Hello [pause] You have requested a code for logging
> in to your account; the number is one three fave [sic] seven nine
> nine; this code will expire in ten minutes", I would know something's
> afoot, and I've got some urgent calls to make.

Something may be untoward, but it very likely won't be as a result of
your 16/20 character, high entropy password being brute-forced after a
data breach at your credit card provider. This mitigation technique
should be sufficient to bring peace of mind.

OTOH, 2FA is part of the regulatory aspect for some financial entities
and impossible to avoid. Of what use is a strong password in that
situation? Strong or weak, autherntication now takes place with the
second factor.

-- 
Brian.
Reply to: