Hacker Newsnew | comments | show | ask | jobs | submitlogin
Ask HN: As a result of 2fa, can I now use easier passwords?
4 points by anthonys 854 days ago | 1 comment
I have various web accounts which like many, I don't want to see compromised. To to try and ensure this, I have been using 1Password on my Mac/PC/Mobile devices which not only generates unmemorable passwords but keeps them on hand too.

This worked for everything except Gmail which I need quicker access to and as a result, Gmail had a "weaker" password for sometime. About 18 months ago, I enabled 2fa for my Gmail account as I had come to much the same conclusion as Geoff Atwood did here: http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html

Given Gmail is what I use to sign up to pretty much everything, it made sense to make sure it was as secure as possible which obviously a weaker password was not going to help with. However, with 2fa, I feel relatively secure given my weaker password is no longer the only way in.

In recent times, many of the tools I use regularly have implemented 2fa - Dropbox, Cloudflare (Today- prompted this thinking), WordPress, my Microsoft account and others that don't come to mind given they rely on my mobile (cell) number which means I don't remember them.

As a result of this, my question is simply can I now use a more memorable password for my account? Or is 2fa giving me a false sense of security?




Disclaimer: I am not a security expert.

2fa is a great tool to have, but it is what it says it is - just a second factor. And if your password is weak, your GMail account is just as secure as your second factor is. What if your phone is stolen, and the adversary manages to get hold of your Google password? Having a second factor should not encourage you to use easy/weak passwords.

Also, regarding your quest for a more memorable password, there has been a huge debate about this, but your password can be strong and memorable at the same time. As this xkcd comic[1] explains, and further discussions on Security.Stackexchange[2] and MetaFilter[3], such long passwords such as "correct battery horse staples" are good (although a smaller key space - but you could increase that by substituting e with 3, 1 with ! etc, although this technique is common enough to be known by adversaries), and are about as strong as something like h@CK3RZ@(!@WP*

Personally, my passwords use the above technique, with a combination of pop-culture references and something about the account to which the password belongs, with a few special characters here and there. And since you say you only need to remember only the password to your Google account, it should be relatively easy to remember just one very complex password.

[1]: http://xkcd.com/936/

[2]: http://security.stackexchange.com/questions/6095/xkcd-936-sh...

[3]: http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-...

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: