undefined | Better HN

0 pointsMarkMc12y ago0 comments

Yes you are right that it is not 'true' two-factor authentication. It would certainly be more secure if all my users were able and willing to use something like Google Authenticator. However, I suspect that most of my users (who are not especially computer literate) would prefer the simplicity of writing down 4 words over having to install and configure an two-factor app on their phone.

You say, "it's not much more difficult to crack two passwords than one" but I don't see how that is the case if the second password is four words chosen at random from a dictionary of say 5000 words. Such a password is far more difficult to crack than the average password chosen by the average user. Having a second passphrase generated by a computer also eliminates the problem of users re-using the same password between sites, or choosing "letmein" or "password1" as a password.

0 comments

snowwrestler12y ago

Why not just require your users to set a 4-word passphrase as their password? You'll capture more variations than you would working from a fixed 5,000 word dictionary, and your users can still choose to write the words down if they want--or they can use the password management features of their browsers if they want. Plus it would be more simple to build and maintain, which is a plus when it comes to security.

MarkMcOP12y ago

The problem is that the average user is really bad at choosing a password. If the system requires a four-word passphrase then the user will choose easy-to-crack passphrases such as "use the force luke" or "john paul george ringo".

If the system randomly chooses the four words then you force the user to exchange convenience for security.

snowwrestler12y ago

Then why let users choose a password at all? Why not just assign them one that they have to write down? And if they're going to write it down anyway, why make it words? Why not generate a 20 character random string?

I obviously don't have the whole picture of your effort, but from your description so far, I think you are over-emphasizing the importance of clever password schemes. As Colin points out in the top comment, hashing with scrypt will make even mediocre passwords uncrackable. So it would be a better use of your time to implement scrypt or bcrypt with just one password.

And high-speed cracking is only a problem if the bad guys get your password table. To do that they will have to get into your application...and if that happens there are all sorts of other problems. So I'd argue that spending more time testing and proving the overall security of your app is also a better use of your time.

1 more reply

j / k navigate · click thread line to collapse

0 pointsMarkMc12y ago0 comments

0 comments

snowwrestler12y ago

MarkMcOP12y ago

If the system randomly chooses the four words then you force the user to exchange convenience for security.

snowwrestler12y ago

1 more reply

j / k navigate · click thread line to collapse