Comment on Ain't no one breaking in
Lightfire228@pawb.social 1 day agoYes, and no.
If the password is stored properly (hashed and salted), then a high entropy PW will make it nearly impossible for your PW to be extracted from a database dump / data leak
On the other end, if the PW is stored as plain-text, a high entropy PW is useless.
In between, a weak hash algorithm or no salt, a high entropy PW still makes it much harder to extract, but it depends
In general, 2FA is more secure, since it combines 2 different methods of authentication.
- something you know: password
- something you have: the 2FA token (usually on a phone)
This protects the service (as well as the user) against a broader range of attacks. Such as
- password reuse (which nearly everyone does)
- this is particularly bad, because you’re increasing the chance that a weakly designed system will have it’s data stolen, your reused PW and username included
- phising attempts
- low entropy passwords
- replay attacks
- since 2FA tokens are usually time bases (TOTP), they expire after a few minutes and can’t be reused if an attacker manages to intercept one
Among others