What's the correct minimum length for a password? 6 chars? 8? A number that isn't even? Here's what the big guys do (and why there's much more to it today than just length):https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/ …
-
-
They could Phish it, but it's much harder for phishers to build the infra to do so before the code expires. Eg. Real time password entry and proxying the response, and then storing the session cookie. Fwiw I agree, but we need to work harder to reduce the u2f life cycle issues
-
It requires a few new lines of php, yes. I don't agree that qualifies as "much harder"
I think the bare minimum requirement for "raising the bar" is a new capability the attacker hasn't already demonstrated. - 30 more replies
New conversation -
-
-
It's trivial to phish and even customize SMS/TOTP 2FA. U2F support needs to start being the #1 priority and mandatory SMS-2FA for a fallback is not only inappropriate but also irresponsible.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.