[ciro_langone]

Are the little devices that change the PIN or passphrase every 30 seconds the most secure way to lock access? It seems like having to have the right code at the right time was more secure than having the right code at anytime, but I wasn't sure why they weren't rolled out en mass. Is this not the best method of security?

[Joeri]

TOTP, the algorithm used by github, google, and many others to provide two-factor auth is basically that, except your phone is the little device. IMHO this is "good enough" security for normal people. I haven't read of cases where people's second factor got hacked, just where it got bypassed (e.g. by using social engineering to skip passwords entirely).

[jandrese]

People say the weakest link is the user in passwords, and that's often true. But for more security conscious users the weakest link is the helpdesk. It may not even be where you expect. Plenty of people have been hacked because the hacker called the support line for their registrar, hosting, email provider, or ISP and got a password changed without any form of hard verification.

It can be extremely frustrating to do everything right and then have your knees cut off by some script reader in a cube farm somewhere.

Also, if you do email verification for accounts, whenever someone changes their email send one to the old account saying 'Hey, this is being changed, are you OK with it?" and if they say no, revert the email and reset the password on the spot.

[marcosdumay]

From the point of view of somebody brute forcing their way in, there is very little difference between a password that stays the same and one that changes all the time.

Those are great against key-loggers, not so against people that have insider info.