On Sat 14 May 2022 at 07:23:47 +0200, to...@tuxteam.de wrote: > On Sat, May 14, 2022 at 02:40:53PM +1200, Ash Joubert wrote: > > On 13/05/2022 12:23, Nicholas Geovanis wrote: > > > That's the value added in exchange for Ash's "massive pain in the arse". > > > Just making the 1st factor be > > > a loong password is not equivalent to 2FA in any way. Machine reaching > > > back > > > to you is the difference. > > > > There are attacks that 2FA can defeat, especially things like password reset > > via compromised email server, but in general, two weak factors are not a > > match for a strong unique random password [...] > > [strong, unique, random] > > That's it. The unique part can't be stressed enough: if your have > umpteen services out there, it's a matter of time until one of > those passwords leak (incompetent service provider, phishing, > etc.). It better be different from your other passwords. > > To minimise stress, I let a tool generate my passwords (pwgen). > Important ones are 16 char (disk & backup encryption, bank account > key armor, etc.), less important ones (e.g. local login) just 8.
Let me introduce you to my bank: they reduced the maximum 20 chars to 16 and did not allow some special chars such as "!" and ".". Mind you, I feel much more secure - 3FA is used :). -- Brian.
