just a general rant

F22 Simpilot said:

mitigate things like a password sniffer or database leak from using your password. Without the six digit 2FA code

Exactly the point i was making. Yes 2FA is an added benefit of security its a good security layer but its not perfect and can still be bypassed. Its like locking the front door but i can still smash your windows.

if they can get into the database then 2FA is not effective hence yes rainbow tables are in play. take down the infrastructure for 2FA or bypass it completely and then go from there. They don't even need the passwords really if they are that far in. BUt we see sold or leaked passwords is a common thing so there is money incentive to these things from that end.

its a small percentage of people with this skill set. But for the most part 2FA works. What i am alluding to its more to it than most people think. I think the grounds have been here for a good while now like over 10 years and in some cases 20.

This is a long winded rant for a while now as initially it was just meant as GitHub forcing 2FA rant.

This far in though it still stands 2FA works as intended but is it really necessary? a century or more of time to crack an effective password so really as a baseline 2FA is authentication to a user. again its a double sided coin if you do the math. We are seeing those signs that we need to prove who we are and what we are doing in some contexts.

for the average user this is not even on the radar.

Can we explain why i need to authenticate to play minecraft? like to even log in? Because to me that does not even make sense. Why does Minecraft need to crypto my chat logs? on my own private server where me as the Admin should be able to police that myself. I don't need Microsoft to mediate for me.

Malneb said:

Github is forcing 2fA now and you cannot continue without it. I don't require 2FA so i am effectively locked out.

Thanks Microsoft.

I suggest metal foil hats and heavy medication for you.

F22 Simpilot said:

There's no rainbow tables with a 2FA hash in the database. The hash is either Bcrypt or Argon.

Bcrypt: $2a$10$dD79jP0wQdz8Ol2nTmft5OJsJOGl/mzpLTnJpZzwjtXt5OlVar4dC

Argon2id: $argon2id$v=19$m=16,t=2,p=1$NjU2NDU2NDY0NTQ$cgpfAzz7zcpyqMx1AGj0rQ

There's no rainbow tables for Bcrypt and Argon... MD5, yes. Windows SAM can be cracked with rainbow tables as well. And even GSM (cell voice) encryption...

its still a hashed algorithm for 2fa regardless we are getting nuanced overall now. The point is that crypto is a system that has all the pinning to carry real world information tied to it.

All they need to do is force drivers license as a requirement to sign up for an email and that means hey presto every time you 2FA into an account they know.

We already purchase mobile phones and have to produce drivers license and they fill out a massive form right in front of you, with all your creds.

With online safety a big deal then its a real world potential. "Because of X reason of email accounts and fraudulent actions we now require to sign up with your drivers license to prove you are not a fraudulent actor"

rainbow table for hashed passwords not 2FA why do you think they want to push 2FA as a requirement? because its round robin by design.

Hearsepilot said:

I suggest metal foil hats and heavy medication for you.

No you don't, explain then if you think you know.

Malneb said:

No you don't, explain then if you think you know.

You can get help for mental illness though ironically the helpers also wear white coats.

well i don't have mental health issues so that is irrelevant. If this was a proper debate then you would of just lost by default.

There is arguments for both sides and i am not trying to disprove anyone i did not intend to go this far into it.