|
|
|
|
|
|
by swiftcoder
153 days ago
|
|
|
> Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets. If we were talking a >256-bit secret, I'd buy this, but in the human-calculated case I don't see how it actually helps with this, because you've substituted a ~8 character password for a 6 digit number, which is significantly less search space to brute-force. > Also phishing attacks tricking users into entering their passwords in fake login pages yes, this is more-or-less a subset of the "keylogger/insecure login page" case > and stolen password databases There's still a server-side TOTP secret database to be stolen, no? And normally that would be hard to reverse-engineer the actual secret from, but again, you've shrunk the search space down to 1,000,000 entries, which is trivial to brute force. |
|
|