Are passwords of 8 random characters good enough if I'm using 2SV/2FA?

« Other questions
0
0

If my accounts are protected with two-step-verification/two-factor authentication, it seems to me that passwords that are 8 characters long are acceptable more usable.

What is your comment?

Thanks

  • You must to post comments
0
0

Actually there is never ‘good enough’ in computer security (especially over time). Is an 8 character password sufficient? No. Even if you have more layers (as you should) you shouldn’t dismiss other concerns (because if you do that then who is to say that you’ll always be able to know when it is acceptable – if there is an acceptable time).

It is true that some eight character passwords are better than many others but that does not mean they are good passwords, no. Note also there is a difference between length and complexity so if you were to increase it it might not be all that better (as far as password quality). It depends on more than the length, in other words.

  • dw14
    I always thought length was better than complexity? i.e. 26 character passphrase, better than 12 character with upper case, number and +/* etc? Harder to brute force?
  • coyote
    Well pass phrases are another beast. But if you wish to go that way you might want to look into diceware. As for complexity versus length: both combined is what you’re really after. There is a lot of material out there on this subject – and I could not possibly do it justice (even if I could I couldn’t do it here – it would be far too much to write). But complexity is really important in any case. Look at it this way: if you have a complex 26 character password versus a complex 12 character password which do you think fares better? Passphrases have uses though; I actually use them for some things (e.g. ssh keys, gpg keys, etc.).
  • You must to post comments
0
0

Two-Factor Authentication in some cases – notably when one of the accounts used for authentication is compromised – less secure than just having a ½ decent password.

For a case in point, you might want to look up Matt Honan and how social engineering apple resulted in control of his hardware ending up in third parties hands – resulting in data damages to local hardware – just to get near an account that can auth in to a technical journals twitter feed. One thing compromised took out everything it was linked to.

If you really must have a “human recollectable” password, I would heavily suggest the “XKCD method” : https://www.xkcd.com/936/

If you want secure passwords, then there’s no hope in trying to remember them for most people – especially a few hundred bits of entropy in – and I would suggest the use of a password manager – like keypass – to store these securely in an encrypted DB. It’s also capable of generating passwords securely( in case you forgot how to: dd if=/dev/urandom bs=1 count=255 2>/dev/null | base64 -w 0 | rev | cut -b 2-42 | rev ) to specified length, complexity and when creating a new entry will indicate p/w entropy.

  • You must to post comments
Showing 2 results
Your Answer

Please first to submit.