

Ask HN: As a result of 2fa, can I now use easier passwords? - anthonys

I have various web accounts which like many, I don't want to see compromised. To to try and ensure this, I have been using 1Password on my Mac/PC/Mobile devices which not only generates unmemorable passwords but keeps them on hand too.<p>This worked for everything except Gmail which I need quicker access to and as a result, Gmail had a "weaker" password for sometime. About 18 months ago, I enabled 2fa for my Gmail account as I had come to much the same conclusion as Geoff Atwood did here: http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html<p>Given Gmail is what I use to sign up to pretty much everything, it made sense to make sure it was as secure as possible which obviously a weaker password was not going to help with. However, with 2fa, I feel relatively secure given my weaker password is no longer the only way in.<p>In recent times, many of the tools I use regularly have implemented 2fa - Dropbox, Cloudflare (Today- prompted this thinking), WordPress, my Microsoft account and others that don't come to mind given they rely on my mobile (cell) number which means I don't remember them.<p>As a result of this, my question is simply can I now use a more memorable password for my account? Or is 2fa giving me a false sense of security?
======
hardik988
Disclaimer: I am not a security expert.

2fa is a great tool to have, but it is what it says it is - just a second
factor. And if your password is weak, your GMail account is just as secure as
your second factor is. What if your phone is stolen, and the adversary manages
to get hold of your Google password? Having a second factor should not
encourage you to use easy/weak passwords.

Also, regarding your quest for a more memorable password, there has been a
huge debate about this, but your password can be strong and memorable at the
same time. As this xkcd comic[1] explains, and further discussions on
Security.Stackexchange[2] and MetaFilter[3], such long passwords such as
"correct battery horse staples" are good (although a smaller key space - but
you could increase that by substituting e with 3, 1 with ! etc, although this
technique is common enough to be known by adversaries), and are about as
strong as something like h@CK3RZ@(!@WP*

Personally, my passwords use the above technique, with a combination of pop-
culture references and something about the account to which the password
belongs, with a few special characters here and there. And since you say you
only need to remember only the password to your Google account, it should be
relatively easy to remember just one very complex password.

[1]: <http://xkcd.com/936/>

[2]:
[http://security.stackexchange.com/questions/6095/xkcd-936-sh...](http://security.stackexchange.com/questions/6095/xkcd-936-short-
complex-password-or-long-dictionary-passphrase)

[3]: [http://ask.metafilter.com/193052/Oh-Randall-you-do-
confound-...](http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-
so)

