On 2022-05-14, Ash Joubert <a...@transient.nz> wrote: > On 13/05/2022 12:23, Nicholas Geovanis wrote: >> That's the value added in exchange for Ash's "massive pain in the arse". >> Just making the 1st factor be >> a loong password is not equivalent to 2FA in any way. Machine reaching back >> to you is the difference. > > There are attacks that 2FA can defeat, especially things like password > reset via compromised email server, but in general, two weak factors are > not a match for a strong unique random password. In particular, it is > not uncommon for sms/email/totp second factor to resolve to exactly the > same device as the first factor, reducing 2FA to a single factor. > Compromise such a user's phone and it is all over.
What about data breaches, and sites keeping your password in plain text (though it seems access to the cryptographically hashed passcodes is already a pretty good leg up)? What good is our entropy then? https://en.wikipedia.org/wiki/List_of_data_breaches https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
