Quote:
Originally Posted by Paul
If you have a good password to start with, 2FA is just a waste of your time.
|
Any password can be cracked given enough time and people are still silly enough to fall for phishing emails where they will freely give away their passwords believing fake websites to be legit, or requests for credentials to be genuine. With a rise in distirbuted cracking of passwords like fitcrack, thousands of machines could be working on your password at the same time. I mean, there's even freely available code on Github to add to websites that utilise visitor's web browser CPU time to work on passwords whilst they visit a website. There are so many free and very easily obtainable packages out there to harvest or payload in order to gain passwords with you even knowing about it. Consider Kali for example, and the enormous array of abilities that package has, and it's all free.
2FA requires something you know (password) AND something you have (rotating code / smart card / et cetera). This means either one is absolutely useless without the other. If someone loses their password for any reason to someone outside of themselves, that 3rd party still cannot access the account. If the 3rd party steals your smartcard or gains access to your authenticator application, it means nothing without your known account credentials.
If it were a waste of time, people and businesses across the globe wouldn't bother implementing it. There is no doubt 2FA would have saved businesses millions, if not billions, of pounds over the years through fraud and cryptolocking attacks. Social engineering is rife and people are always the weakest link. Regardless of how 'safe' you think you password is, or how clever you think you are, a password by itself will never be as secure as one used in conjunction with 2FA.
Security is the leading concern and factor in the IT industry right now being driven forward and pushed. Think GDPR, ISO27001, CyberSecurity implementations and so on.
howsecureismypassword.net and other such sites are great for filling people with a false sense of security because a 'long' password looks like it will take so long to crack it will forever be safe. but;
1) I refer to my point on social engineering - people are so inquisitive, they put their actual passwords into these sites to see how long it might take to crack - they have just typed in their password! Who knows what such sites are doing with that data? Match that to an IP and cross reference a leaked access database from an infrastructure such as Google, Apple, MS, Facebook or whoever and the opportunity is there to match that IP to a user account name and then the password from that password checking site.
2) those sites give you an idea how long a basic desktop computer by itself might take to crack a password. they do not take into account GPU-based algorythm password cracking or the aformentioned distributed password cracking techniques. ANY everyday password could potentially be broken within hours depending on the methods employed.
Your passwords are most likely safe purely because you, as an individual, are not worth enough to waste time on it for another individual to target you directly. But when it's all being done automatically by machines, there's absolutely no favourtism at play and you are as vulnerable as the next guy or company.
If you have the option to use 2FA, use it. It's very quick to set up and very easy to use. And is WAY more secure than any password alone.