I talked to multiple friends today about password security, and I'm shocked to learn that people still use questionable password schemes and I really see why people are trying to move away from passwords to things like 2FA or hardware tokens. Nobody educates people on how to make good passwords that hold up to security guarantees, and they buy in to whatever technology saves them time and effort. It's not a judgement on them, but it's just shocking to me. So let me explain.

2FA rant 

@jookia I refuse to use any 2FA that is SMS-based, which is most 2FA systems these days. Its security is questionable at best and prone to social engineering attacks, not to mention that it requires forking over a very trackable and identifiable phone number to function. TOTP or GTFO, I say.

2FA rant 

@faoluin I've had the opposite experience- most 2FA I've used is TOTP or uses a proprietary app.

@jookia @faoluin my bank (one of the worst accounts to risk compromise) uses sms auth, and opencollective uses email sign-in. a scary number of financial online things have crazy backwards policies

@wowaname @faoluin I think the worst example would be Twitch where the only way to get 'secure' codes is by using Authy's app which uses your phone number as auth.

@jookia @wowaname@anime.website *Grumbles at the inconvenience of defederation*

One of my old banks used to restrict passwords to no more than ten characters in length. It was insane, and not that long ago.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!