[yaix]

Simply use five random dictionary words as a password and you are fine. The browser will store then the password easy login.

Two-facor auth just adds to complexity, and that is a bad thing when it comes to secutiry. You want to be able to easily understand that a system is secure. The more complex a system is, the larger the likelyhood of a surprise "whoops, I overlooked that" somewhere down the road.

[modernerd]

A great password won't protect you or your clients from keyloggers, writing the password on a post-it to stick to a monitor, shouting it across an office, emailing it to a friend's 'web genius' kid so he can fix that thing that's broken, and a dozen other password misadventures.

Two-factor auth is not just about rendering dictionary attacks ineffective.

[ra]

Or any slightly obscure memorable phrase. e.g. mycatmiffylikesbiscuits or tallspeakerswithoutafaceplaterattle or emptyhandlebeerglasshasfoam ...

[ZoFreX]

No. The key word in the comment you replied to was "random". "mycatmiffylikesbiscuits" is a pretty terrible password.

[danenania]

How so? Assuming about 100,000 common words in the English language, with a five word phrase aren't you talking about 10000000000000000000000000 combinations for a dictionary attack to churn through? Even if you narrow it down to phrases that make grammatical sense (which certainly isn't a trivial thing to do algorithmically), you're still talking pretty astronomical numbers, and that doesn't account for the large increase in the corpus that would be needed for an attack that could include a name like "miffy" in its attempts.

[chii]

But if the attacker knew with good probability that your passphrase is a valid sentence, they'd have ways to eliminate incorrect sentences, and so reduce the search space a bit (or a bit more, depending on how clever they are).

[ZoFreX]

Have you ever used SwiftKey or Swype on Android? Vaguely the same principles apply here. It actually wouldn't be hard to generate passphrases where you try the most "predictable" phrases first. E.g. if you start your brute-forcing at "my cat" you would try "my cat likes" a long time before you tried "my cat algorithmically".

Also, 100,000 common words is a bit more than you would need. If people are plucking words from their heads, rather than rolling dice and picking from a list, you can assume a more limited corpus and still crack a lot of passwords.

[andyakb]

Nobody starts brute forcing at "mycat." Even if they somehow knew that's how it started, that barely helps them. They don't know how many other words there are, or what the next one is. Simply because it is more likely to be "my cat likes" does not mean it is now feasible to crack. Without social engineering, that password is not crackable for all practical purposes and is far from a terrible password.

[ZoFreX]

No, but we're talking about brute forcing billions of attempts per second, and we're not up against randomness, we're up against "the best pseudorandomness the human brain can muster", so the odds aren't 1 / <number of possibilities>. A password is severely weakened if it isn't sufficiently random.

[Datsundere]

",uvsy,oggu;olrdnodvioyd" is not terrible though. If you see what I did there.