What's the correct minimum length for a password? 6 chars? 8? A number that isn't even? Here's what the big guys do (and why there's much more to it today than just length):https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/ …
-
-
Replying to @troyhunt
Joona Immonen Retweeted Tavis Ormandy
About that 2FA. What is your opinion on SMS-2FA?
@taviso was kind of harsh about it:https://twitter.com/taviso/status/942082082385182720 …Joona Immonen added,
3 replies 0 retweets 2 likes -
Replying to @rinorragi @taviso
It’s something in addition to a password alone so that’s good, the discussion then is how readily exploitable it is
2 replies 0 retweets 3 likes -
I guess there is also a discussion about who you are trying to protect from and where do you live. Operators tend to be different around the globe. Also high profile players like you two might have different kind of concerns than regular users.
1 reply 0 retweets 0 likes -
But back to original question. Would you invest on developing SMS-2FA and do you feel that it might give the user false sense of security?
1 reply 0 retweets 0 likes -
Replying to @rinorragi @taviso
Yes, then no. SIM hijacking is very targeted and when you consider that in the context of common attacks like credential stuffing, it’s a big leap forward.
3 replies 0 retweets 3 likes -
Replying to @troyhunt @rinorragi
The problem with SMS-2FA isn't "sim hijacking" - The issue is you're trying to solve the problem of an attacker who can steal passwords with a second password.
2 replies 17 retweets 46 likes -
But that is essentially true for all 2FA, depending on how loose your definition of password :P
1 reply 0 retweets 0 likes
I don't get the joke, I'm saying U2F is a better solution because it's not phishable.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.