# Microsoft: 99.9% of compromised accounts did not use multi-factor

1. TairikuOkami said:
Paypal for example allows to use only 20 characters long password, that can be easily breached within days
That doesn't sound feasible to me.

For a 20 character password, assuming you are able to use the full mixture of numeric, alphanumeric and special characters on a keyboard, then:

96^20 = 4.42 x 10^39 possibilities

Assuming a single unit capable of 100 trillion guesses a second, then:

4.2 x 10^39 / 100 x 10^13 = 4.42 x 10^13 seconds or 12,277,845,385 hours or 511,576,892 days or 1,401,580 years
My Computers

2. What happens IF your 20 character password is the first one they guess??, would not assume that it would be the very last one
My Computers

3. z3r010 said:
I just don't understand the resistance to 2FA, the majority of sites/applications only need to authenticate every 30 days or so and it is just so much more secure than a password alone, IMO not to use it when it's on offer is absolute stupidity.
I do not either, it is not that hard.
My Computer

4. meebers said:
What happens IF your 20 character password is the first one they guess??, would not assume that it would be the very last one
It doesn't quite work like that - each character has to be tested separately. There is no feasible way you can guess something like this in one go : ?Uj7%MfU<8X+vGFB+2Q
My Computers

5. Josey Wales said:
I do not either, it is not that hard.
I wouldn't say is is hard, but maybe a little inconvenient. I use quicken to automatically download account data at once, now since I use 2FA, each account has to be done separately. Sign in, select where to send code, retrieve code, enter code and then download data. Keep telling myself it is "worth" it.

- - - Updated - - -
My Computers

6. Golden said:
There is no feasible way you can guess something like this in one go : ?Uj7%MfU<8X+vGFB+2Q
My Computers

7. TV2 said:
Hey! That's mine.

Denis
My Computer

8. Hi folks

Banks and other financial institutions send you a code to another device e.g a phone to complete login process.
I don't think the process itself is particularly onerous -- it's the entering of some random code -- with banks it's often simply a 5 or 6 digit number so it's relatively easy.

The code doesn't have to be complex etc -- since the response has to be made from a designated phone or device.

Why make a reasonably secure process bonkersly complicated.

Cheers
jimbo
My Computer

9. TairikuOkami said:
Paypal for example allows to use only 20 characters long password, that can be easily breached within days.... [snip]
PayPal also allows (suggests) 2FA.

The "resistance" I had to 2FA is the inconvenience of having to read an email or text to receive the 2FA code to complete the sign in process. At first I turned 2FA off after setting it up, but the world we live in today has made me embrace it. As annoying as it is, it at least adds a another layer of protection. And at the very least I'm notified of an attempted login.

Anyway, I see nothing wrong with companies asking users to use 2FA to protect themselves. Agree with Kari and z3r010, the resistance around this is stupid.
My Computers

10. z3r010 said:
I just don't understand the resistance to 2FA, the majority of sites/applications only need to authenticate every 30 days or so and it is just so much more secure than a password alone, IMO not to use it when it's on offer is absolute stupidity.
I always use 2FA when available.
My Computers

Page 2 of 5 First 1234 ... Last

Related Discussions
Our Sites