|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
24 Dec 2013, 09:39 AM | #16 | |
Cornerstone of the Community
Join Date: Apr 2004
Location: Melbourne
Posts: 971
Representative of:
Fastmail.fm |
Quote:
Neil. |
|
24 Dec 2013, 08:43 PM | #17 | |
The "e" in e-mail
Join Date: May 2002
Posts: 2,804
|
Quote:
The reason it's hard to crack is not because it was designed to be slow, you can make any password hash as slow as you like by varying the number of iterations, it's because it doesn't work well on current GPUs. Scrypt is supposed to be even better, it's specifically designed to run optimally with a ratio of processing power to memory that's characteristic of server hardware. Last edited by DrStrabismus : 24 Dec 2013 at 09:12 PM. |
|
27 Dec 2013, 07:22 AM | #18 |
Junior Member
Join Date: Dec 2013
Posts: 1
|
2FA can not be replaced by long passwords
I'm not sure that it is clear that 2FA provides a much better security than any password can do. The point is that with 2FA you need to know something (your password) and you need to have something (your phone) to authenticate yourself. A password can be stolen and you won't notice, but if your phone get's stolen/lost, you'll notice and can for example reset your password using backup codes you printed on a paper and stored at a safe place when enabling 2FA.
|
31 Dec 2013, 02:25 PM | #19 | |
Junior Member
Join Date: May 2006
Posts: 20
|
Quote:
|
|
20 Mar 2014, 04:11 AM | #20 | |
Essential Contributor
Join Date: Apr 2002
Location: Maryland
Posts: 217
|
Quote:
As for two factor vs super long password, isn't it good to give the user a choice if feasible? I could see a keylogger being something that can defeat a long password (though, not sure how likely that is if you're using a password manager). Alternatively, keeping the status quo, I wouldn't mind having some kind of alert for odd logins. Say I log in at home and work often. Suddenly seeing a log in from a location across the country (or another country), could send a flag to my backup address or some other defined address. |
|
1 Apr 2014, 09:18 AM | #21 |
Senior Member
Join Date: Apr 2014
Posts: 166
|
Yes, luisgerhorst has it right, 2FA is basically pointless unless it's impossible to bypass (short of a one-time recovery code). The whole idea of 2FA is that passwords are inherently insecure, because of the possibility of client exploits, server breaches, spoofed TCP sessions (even with fake SSL certificates that we've seen multiple times) etc. If there's such a thing as a re-usable master password, it can be intercepted and exploited.
|