Microsoft: 99.9% of compromised accounts did not use multi-factor

Golden · 08 Mar 2020

TairikuOkami said:

Paypal for example allows to use only 20 characters long password, that can be easily breached within days

That doesn't sound feasible to me.

For a 20 character password, assuming you are able to use the full mixture of numeric, alphanumeric and special characters on a keyboard, then:

96^20 = 4.42 x 10^39 possibilities

Assuming a single unit capable of 100 trillion guesses a second, then:

4.2 x 10^39 / 100 x 10^13 = 4.42 x 10^13 seconds or 12,277,845,385 hours or 511,576,892 days or 1,401,580 years

meebers · 08 Mar 2020

What happens IF your 20 character password is the first one they guess??, would not assume that it would be the very last one

Josey Wales · 08 Mar 2020

z3r010 said:

I just don't understand the resistance to 2FA, the majority of sites/applications only need to authenticate every 30 days or so and it is just so much more secure than a password alone, IMO not to use it when it's on offer is absolute stupidity.

I do not either, it is not that hard.

Golden · 08 Mar 2020

meebers said:

What happens IF your 20 character password is the first one they guess??, would not assume that it would be the very last one

It doesn't quite work like that - each character has to be tested separately. There is no feasible way you can guess something like this in one go : ?Uj7%MfU<8X+vGFB+2Q

meebers · 08 Mar 2020

Josey Wales said:

I do not either, it is not that hard.

I wouldn't say is is hard, but maybe a little inconvenient. I use quicken to automatically download account data at once, now since I use 2FA, each account has to be done separately. Sign in, select where to send code, retrieve code, enter code and then download data. Keep telling myself it is "worth" it.

- - - Updated - - -

TV2 · 08 Mar 2020

Golden said:

There is no feasible way you can guess something like this in one go : ?Uj7%MfU<8X+vGFB+2Q

Hey! That's my password!

Try3 · 08 Mar 2020

TV2 said:

password

Hey! That's mine.

Denis

jimbo45 · 09 Mar 2020

Hi folks

Banks and other financial institutions send you a code to another device e.g a phone to complete login process.
I don't think the process itself is particularly onerous -- it's the entering of some random code -- with banks it's often simply a 5 or 6 digit number so it's relatively easy.

The code doesn't have to be complex etc -- since the response has to be made from a designated phone or device.

Why make a reasonably secure process bonkersly complicated.

Cheers
jimbo

sygnus21 · 09 Mar 2020

TairikuOkami said:

Paypal for example allows to use only 20 characters long password, that can be easily breached within days.... [snip]

PayPal also allows (suggests) 2FA.

The "resistance" I had to 2FA is the inconvenience of having to read an email or text to receive the 2FA code to complete the sign in process. At first I turned 2FA off after setting it up, but the world we live in today has made me embrace it. As annoying as it is, it at least adds a another layer of protection. And at the very least I'm notified of an attempted login.

Anyway, I see nothing wrong with companies asking users to use 2FA to protect themselves. Agree with Kari and z3r010, the resistance around this is stupid.

swarfega · 09 Mar 2020

z3r010 said:

I just don't understand the resistance to 2FA, the majority of sites/applications only need to authenticate every 30 days or so and it is just so much more secure than a password alone, IMO not to use it when it's on offer is absolute stupidity.

I always use 2FA when available.