What's the correct minimum length for a password? 6 chars? 8? A number that isn't even? Here's what the big guys do (and why there's much more to it today than just length):https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/ …
-
-
Replying to @alexstamos @taviso and
Don't have big, systematic data on this but I constantly hear all over the world from people without any 2FA whose accounts get taken over via password reuse and much rarer live phishing of SMS 2FA. I do push people to U2F but, ceteris paribus, SMS 2FA seems way better than none.
1 reply 1 retweet 7 likes -
Replying to @zeynep @alexstamos and
It happens rarely for opportunistic phishing because the economics don't make sense. Why change your code to increase victim yield by 1%? If that number increases, so will attacks. If 1% of users had to type "banana" into a form field, they would also be phished less.
1 reply 0 retweets 3 likes -
Would you argue that my banana-factor authentication scheme is better than none if it has the same property of reducing opportunistic phishing when only enabled for 1% of users?
2 replies 0 retweets 0 likes -
Replying to @taviso @alexstamos and
I deal with a lot of people who are political targets but not necessarily state-level targets. There is a significant amount of opportunistic targeting of such people by people with zero tech skills nor economic incentives. Even SMS 2FA cuts that a lot.
1 reply 0 retweets 5 likes -
Replying to @zeynep @alexstamos and
You're correct, when enabled for 1% of users it effectively makes them too expensive to phish. That's only true if attacker gets 1% more victims when he supports it. If he gets 30% more victims, economics change and worth supporting. Attacker already has capability to phish.
1 reply 0 retweets 1 like -
Replying to @taviso @alexstamos and
In my observations, password reuse and easy to guess passwords are the huge threats on their own. Phishing, while also not apparently that much harder in theory, is actually practically out-of-reach for many of these opportunistic attackers.
1 reply 1 retweet 4 likes -
Could attackers improve? Sure, in theory. But in theory people could be convinced not to reuse passwords or make them their kid’s name. That said, I spend much of my life trying to convince people to use auth apps or U2F.
3 replies 0 retweets 2 likes
zeynep tufekci Retweeted zeynep tufekci
My U2F advocacy is to the level that Amazon algorithmically tied my book to Yubikeys—and if you search for Amazon affiliate links for my book, you get security keys. I still make people turn on SMS at times (unless it defaults to one factor)https://twitter.com/zeynep/status/859842454664642561 …
zeynep tufekci added,
-
-
-
And unless they could show he did CFAA (which is possible, from how some things were done)
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

