|
|
|
|
|
|
by slownews45
1856 days ago
|
|
|
My own view - reused passwords come from leaks - should be a penalty of $100 per leaked password - come on, salt and hash them! This would at least put some pressure on that side. Class actions allowed. This would push more towards oauth etc. Then for targeted attacks, allow non-sms two factor with multiple keys and recovery codes. I'm non SMS two factor on google with recovery codes in a drawer. Have never changed my password and actually have it memorized (and I only use it for google). Same password for 15+ years or so now. Feel totally secure. Google authenticator on phone is pretty good because people really keep track of their phone (more so than yubico keys). I have a yubico on keychain which works 90% (a bit awkward in some cases). |
|
|
At this point I just assume that any password that's been leaked (hashed or not) is in plaintext in some database. Obviously 20-character random passwords aren't going to get reversed but there's no guarantee that they were always hashed and weren't leaked from the login process itself, etc.