Hacker News new | ask | show | jobs
by jzs 2147 days ago
"Now might be a good time to change your password to something longer, or finally get onboard with 2FA."

If it becomes trivial to crack the passwords, then we're really left one factor. Unless we replace the password factor with something else.

Sqrl perhaps?
5 comments
Nerada 2147 days ago
Cracking good (long) passwords is far from trivial (and mathematically should remain that way), the main problem is most users pick terrible passwords.
link
amelius 2147 days ago
The problem: users don't want long passwords.

(Though password managers can help a lot.)

link
UncleEntity 2146 days ago
Oh, the irony...

One of my banking apps has a 10 minute logout "feature" (which can't be disabled) that pretty much guarantees you need to have a crappy, easy to remember, password if you want to use it. Add on top of this a predilection for "2FA" (aka text message) every few times you log in and the thing is basically an unusable hot mess.

(looking at you walmart moneycard)

link
paul_f 2147 days ago
Not trivial. You still have to break in and get /etc/passwd or the equivalent, right? And doesn't creating a unique salt for each client also help significantly?
link
Rafert 2147 days ago
WebAuthn is well supported across all major browsers and can be used for multifactor login without username and password.
link
arpa 2147 days ago
Client certificates is also a thing.
link
mschuster91 2147 days ago
And they are an utter PITA to use, everywhere in the stack...
link
ta17711771 2146 days ago
We could fix that..
link
ryanlol 2147 days ago
If it’s trivial to dump password hashes, you’re probably already left with zero factors.
link
tialaramex 2147 days ago
For a lot of things this is true, but not for WebAuthn.

Here's what my site has on file for one of my own logins:

id: AWrNx4WDVIACFXeNDG4h6R6/ppUi8oIuXJYRwaJtOxssDZybQnu8wt6Cjdc4PqztvnSxnSgLmZGRT1BTnbZjz/M=

public key: pQECAyYgASFYIFsl5O6VHyqngNHPlNmWrjGTPjLFh1jzVnhOUJGP79yVIlgg6L2rDoH/l028WsMes+MbDU0RzM2oSdTcRq+cSwz/E/k=

friendly name: unhygienix

The only thing you can do with that data is the exact thing it's intended for, checking the user has the authenticator corresponding to that ID and wants to sign into this particular web site. Also I guess you maybe learn that this user enjoyed the Asterix comics?

You can't impersonate me using that data, any more than you can impersonate Hacker News based on the data inside its TLS certificate.

link