What's the correct minimum length for a password? 6 chars? 8? A number that isn't even? Here's what the big guys do (and why there's much more to it today than just length):https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/ …
-
-
Replying to @alexstamos @taviso and
Don't have big, systematic data on this but I constantly hear all over the world from people without any 2FA whose accounts get taken over via password reuse and much rarer live phishing of SMS 2FA. I do push people to U2F but, ceteris paribus, SMS 2FA seems way better than none.
1 reply 1 retweet 7 likes -
Replying to @zeynep @alexstamos and
It happens rarely for opportunistic phishing because the economics don't make sense. Why change your code to increase victim yield by 1%? If that number increases, so will attacks. If 1% of users had to type "banana" into a form field, they would also be phished less.
1 reply 0 retweets 3 likes -
Would you argue that my banana-factor authentication scheme is better than none if it has the same property of reducing opportunistic phishing when only enabled for 1% of users?
2 replies 0 retweets 0 likes -
Replying to @taviso @alexstamos and
I deal with a lot of people who are political targets but not necessarily state-level targets. There is a significant amount of opportunistic targeting of such people by people with zero tech skills nor economic incentives. Even SMS 2FA cuts that a lot.
1 reply 0 retweets 5 likes -
Replying to @zeynep @alexstamos and
You're correct, when enabled for 1% of users it effectively makes them too expensive to phish. That's only true if attacker gets 1% more victims when he supports it. If he gets 30% more victims, economics change and worth supporting. Attacker already has capability to phish.
1 reply 0 retweets 1 like -
Replying to @taviso @alexstamos and
In my observations, password reuse and easy to guess passwords are the huge threats on their own. Phishing, while also not apparently that much harder in theory, is actually practically out-of-reach for many of these opportunistic attackers.
1 reply 1 retweet 4 likes -
Could attackers improve? Sure, in theory. But in theory people could be convinced not to reuse passwords or make them their kid’s name. That said, I spend much of my life trying to convince people to use auth apps or U2F.
3 replies 0 retweets 2 likes -
Replying to @zeynep @alexstamos and
I guess I'm not sure I understand where we disagree, we both agree that attackers can improve, and both agree they haven't yet while adoption is so low. Is it that you argue that even when forced to adapt because of high adoption of SMS-2FA, they'll just pack up and go home?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
Yes. In my experience, there is a non-negligible group of opportunistic attackers that can do password reuse/kid’s name password but will not/cannot escalate. This doesn’t apply to any high-value target or to systematic phishers (who have economic concerns).
2 replies 2 retweets 3 likes
If we disagree, it’s that I don’t this SMS 2FA is basically worthless. If you’re a vendor, I’d be begging you not to do it that way, and to adopt U2F and/or auth app. Still, for many users, those are surprisingly hard steps.
-
-
Replying to @zeynep @alexstamos and
I get that, but my point was you can achieve the same result that we both like (lower opportunistic phishing) with my silly banana scheme. Is my banana scheme basically worthless? If yes, then why is it worse than SMS-2FA?
1 reply 0 retweets 0 likes -
Replying to @taviso @alexstamos and
"Banana" is fixed word? Once again, anything that involves typing something, not a huge barrier to opportunistic attacks. Mutter the words "php script", and a surprisingly non-negligent number of them seem to scatter.
1 reply 0 retweets 1 like - Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.