Re: google account say it will no longer deliver email
On Sat, 14 May 2022 15:05:11 +1200
Ash Joubert <ash@transient.nz> wrote:
> On 14/05/2022 00:42, Michael Stone wrote:
> > On Fri, May 13, 2022 at 07:16:11AM +0200, tomas@tuxteam.de wrote:
> >> A loong password is not "equivalent" to 2FA, that's right. Good
> >> password management (of which length is but a part) is as secure
> >> as 2FA.
> >
> > No, it really isn't.
>
> A good password will not protect you from password reset via a weak
> channel such as email on an insecure server.
>
> 2FA will not protect you if the second factor is weak or resolves to the
> same device. Hint: if you store your password and TOTP key in the same
> manager then you have only one factor.
But as you concede below, this is an argument against poorly
implemented 2FA, not against well-implemented 2FA.
> 2FA often smells to me like security theatre, a band-aid over a sucking
> chest wound of weak security practices, much like forced password
> expiry. Done well, in addition to good security practices, including
> strong unique random passwords, 2FA enhances security, but the cost is
> high. Note however that the cost of a compromise can be devastating.
Is the cost really that high? U2F hardware keys are readily available
for as little as $15 USD (perhaps less - I just took a very quick look
on Amazon), and they can secure all your accounts (that support U2F
2FA).
> If you use 2FA, you must include it in your disaster recovery plans.
> Imagine all your on-site devices including your phone are destroyed. Now
> recover.
A very good point. For that, well-implemented 2FA systems typically
encourage the printing out / saving of a handful of OTP passcodes
(which you should backup / print out and save offsite). But of course,
the same is true for passwords as well (assuming you're using (as you
should) long, random ones that are difficult or impossible to remember).
But I agree that it's complicated:
https://dmitryfrank.com/articles/backup_u2f_token
--
Celejar
Reply to: