On 14/05/2022 00:42, Michael Stone wrote:
On Fri, May 13, 2022 at 07:16:11AM +0200, tomas@tuxteam.de wrote:A loong password is not "equivalent" to 2FA, that's right. Good password management (of which length is but a part) is as secure as 2FA.No, it really isn't.
A good password will not protect you from password reset via a weak channel such as email on an insecure server.
2FA will not protect you if the second factor is weak or resolves to the same device. Hint: if you store your password and TOTP key in the same manager then you have only one factor.
2FA often smells to me like security theatre, a band-aid over a sucking chest wound of weak security practices, much like forced password expiry. Done well, in addition to good security practices, including strong unique random passwords, 2FA enhances security, but the cost is high. Note however that the cost of a compromise can be devastating.
If you use 2FA, you must include it in your disaster recovery plans. Imagine all your on-site devices including your phone are destroyed. Now recover.
Kind regards, -- Ash Joubert <ash@transient.nz> Director Transient Software Limited <https://transient.nz/> New Zealand