[Area12]

From an old IT guy, none of this is new ... Scott Adams (of Dilbert) noted it in 1998: http://dilbert.com/strip/1998-04-06

That was 18 years ago.

Particularly raw for Dilbert: "Squeal like a pig" is from the 1972 movie "Deliverance" and refers to a assault that was one of the most disturbing US mainstream movie scenes of the 1970s.

The only real improvement in all that time that I can think of: password managers. I almost said Single Sign On, but that comes with its own security issues.

[nutjob123]

Two factor authentication is a major improvement. Combined with a password manager is a pretty good combination.

[tajen]

> Combined with a password manager is a pretty good combination.

So 2FA combines something you have (your phone) with something your phone knows.

[rahkiin]

Exactly! And I use 1Password so I also have the tokens on my computer, together with my passwords. Replay attacks get harder though.

[justinlardinois]

I think his point was that if your password is stored on your phone, two factor authentication doesn't actually add any security because it's no longer two factor.

[crpatino]

not if you access the site from a laptop/desktop

[greendragon]

2FA seems a modest improvement at best, especially when it boils down to a TOTP secret you can use anywhere. (I have a greasemonkey script that enters my required '2fa' token for me.) With a yubikey form factor it's much better... It's also relatively useless if you already have a strong password and don't re-use it, i.e. a password manager. Sure it may stop someone from logging in as you if they just have your (unique) password, but if you consider the ways they can just have your (unique) password that doesn't really matter.

[Area12]

Good point, forgot that one even though I use it.