Comment on Ain't no one breaking in

rmuk@feddit.uk ⁨1⁩ ⁨day⁩ ago

• ehyuman@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago

  is this real? genuinely? I also thought if my pw was rsndomly genetated with high entropy, I’d be safe…

  source

  • Lightfire228@pawb.social ⁨1⁩ ⁨day⁩ ago

    Yes, and no.

    If the password is stored properly (hashed and salted), then a high entropy PW will make it nearly impossible for your PW to be extracted from a database dump / data leak

    On the other end, if the PW is stored as plain-text, a high entropy PW is useless.

    In between, a weak hash algorithm or no salt, a high entropy PW still makes it much harder to extract, but it depends

    ---

    In general, 2FA is more secure, since it combines 2 different methods of authentication.

    • something you know: password
    • something you have: the 2FA token (usually on a phone)

    This protects the service (as well as the user) against a broader range of attacks. Such as

    • password reuse (which nearly everyone does)
      • this is particularly bad, because you’re increasing the chance that a weakly designed system will have it’s data stolen, your reused PW and username included
    • phising attempts
    • low entropy passwords
    • replay attacks
      • since 2FA tokens are usually time bases (TOTP), they expire after a few minutes and can’t be reused if an attacker manages to intercept one

    Among others

    source
  • basxto@discuss.tchncs.de ⁨9⁩ ⁨hours⁩ ago

    rsndomly genetated with high entropy

    ≠pick a good password

    I’d expect password safes to filter out bad passwords and/or have some rules for that stuff not to happen, but when you just go by randomness you can end up with passwordo like abcd1234 or cat. There is an XKCD (can’t find it) where his dad used a very weak password, but followed his password generation algorithm.

    source