What's the correct minimum length for a password? 6 chars? 8? A number that isn't even? Here's what the big guys do (and why there's much more to it today than just length):https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/ …
-
-
Replying to @troyhunt
Joona Immonen Retweeted Tavis Ormandy
About that 2FA. What is your opinion on SMS-2FA?
@taviso was kind of harsh about it:https://twitter.com/taviso/status/942082082385182720 …Joona Immonen added,
3 replies 0 retweets 2 likes -
Replying to @rinorragi @taviso
It’s something in addition to a password alone so that’s good, the discussion then is how readily exploitable it is
2 replies 0 retweets 3 likes -
I guess there is also a discussion about who you are trying to protect from and where do you live. Operators tend to be different around the globe. Also high profile players like you two might have different kind of concerns than regular users.
1 reply 0 retweets 0 likes -
But back to original question. Would you invest on developing SMS-2FA and do you feel that it might give the user false sense of security?
1 reply 0 retweets 0 likes -
Replying to @rinorragi @taviso
Yes, then no. SIM hijacking is very targeted and when you consider that in the context of common attacks like credential stuffing, it’s a big leap forward.
3 replies 0 retweets 3 likes -
Replying to @troyhunt @rinorragi
The problem with SMS-2FA isn't "sim hijacking" - The issue is you're trying to solve the problem of an attacker who can steal passwords with a second password.
2 replies 17 retweets 46 likes -
Which TOTP suffers from too. I still consider this and the "sim hijacking"* less important than the account life cycle issues
@alexstamos highlights. Especially if you can just email support and convincingly claim you're locked out due to a new phone/lost@Yubico.3 replies 0 retweets 1 like -
I did not claim TOTP is better, I do however claim U2F, while not a panacea, is better.
2 replies 0 retweets 0 likes -
Agreed. It's better technically. But in practice some claim it's inferior due to the account recovery process if a use loses their u2f key. Support orgs are programmed to set a low bar for recovery because loss occurs so frequently.
1 reply 0 retweets 0 likes
That issue exists whether U2F is implemented or not. It also doesn't solve the problem of malware, vulnerability exploitation, or other social engineering attacks. It's pretty much just phishing.
-
-
One other issue with u2f. (Which I don't have the exact numbers for right now). Adoption. When we AB tested TOTP vs SMS ~23% made it through the TOTP onboarding flow, where as ~80% ish through the SMS flow.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.