• rmuk@feddit.ukEnglish
    331·
    3 days ago

    “You don’t need 2FA, just make sure to pick a good password.”

      • Lightfire228@pawb.social
        21·
        3 days ago

        Yes, and no.

        If the password is stored properly (hashed and salted), then a high entropy PW will make it nearly impossible for your PW to be extracted from a database dump / data leak

        On the other end, if the PW is stored as plain-text, a high entropy PW is useless.

        In between, a weak hash algorithm or no salt, a high entropy PW still makes it much harder to extract, but it depends

        In general, 2FA is more secure, since it combines 2 different methods of authentication.

        • something you know: password
        • something you have: the 2FA token (usually on a phone)

        This protects the service (as well as the user) against a broader range of attacks. Such as

        • password reuse (which nearly everyone does)
          • this is particularly bad, because you’re increasing the chance that a weakly designed system will have it’s data stolen, your reused PW and username included
        • phising attempts
          • somewhat
        • low entropy passwords
        • replay attacks
          • since 2FA tokens are usually time bases (TOTP), they expire after a few minutes and can’t be reused if an attacker manages to intercept one

        Among others

      • Baŝto@discuss.tchncs.deEnglish
        1·
        2 days ago

        rsndomly genetated with high entropy

        ≠pick a good password

        I’d expect password safes to filter out bad passwords and/or have some rules for that stuff not to happen, but when you just go by randomness you can end up with passwordo like abcd1234 or cat. There is an XKCD (can’t find it) where his dad used a very weak password, but followed his password generation algorithm.