Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
why would it be insecure? Is it some sort of L33t code? if not than it's not bad as long as the passwords are stored properly
Big letters, small letters and numbers are already 62 possible symbols per position, with 12 positions that's 62^12 combinations so 3,22*10^21 and unless it's just some sort of L33t code or similar alphabet word exchange, then dictionary and mutation attacks should be well negated. I mean sure, if you added special symbols it would be better, but since you also have 2FA then it's not that much of a problem. If the password is generated just for that service and you don't re-use it in other services, then practically even IF someone cracks that using some sort of clever technique, it's still secure, and the leak doesn't cause other services to be vulnerable
or am I wrong? -
Any passphrase is insecure. Any passphrase can be cracked. Question is: how much of an effort and $ do you think a hacker would like to invest in order to crack your password in that particular system.
In other words, how useful is it to crack it.
Personally, I'd add at least 1 mandatory spec character to the passphrase. It rules dict attacks useless and makes brute force unreasonably long.The hacker will prolly choose soc engg. instead of JTR, which, although more visible, is actually more productive and easier to carry out, than guessing the passphrase... -
@Hazarth it's either my own password and 2fa or only this app password. So after having this password no 2fa.
-
@electrineer mail
-
@netikras with spec chars this password would feel way more secure to me and that's what i thought about often, telling them to at least add spec chars and maybe a tad longer.
-
@IntrusionCM with 2fa activated i need to generate these passwords with way less entropy than my password to access it with my mail client. But with 2fa disabled i would only need my password with more entropy than these "app passwords"
-
@jonas-w The math of @Hazarth is right. Assuming an attacker against this specific mail service can try 10 000 passwords per second without any kind of lock out or brute force protection, and the password is correctly randomly generated, an attacker still requires some billion years on average to guess this password.
-
@IntrusionCM SMTP, POP3 and IMAP do not allow usable 2FA. While all of them do support Oauth2 (with possible 2FA in the webbrowser), it does not support it in a manner that it would work for arbitrary clients. Hence app passwords for those protocols are required.
-
@sbiewald Completely forgot this.
Been using Protonmail since years....
🤣🤣🤣
Funny how you get so used to stuff that you completely blank out on such common knowledge. -
@sbiewald exactly.
The weird thing is i get some notifications that some ip's logged in using an app password but no mention of which of those app passwords were used to login.
And that's why i thought maybe these app passwords are too insecure because these app passwords are only in my clip board. But probably these sign ins are from my mobile phone and geoip is not that reliable
Am i overthinking too much or are passwords like this
S9L4dk1i6sy5
Insecure?
This is an example generated by some website where i have activated 2fa and need to generate app passwords to access it from clients
I've thought about it many times to ask them to make it more secure but everytime i think i'm overrracting
question