Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
(Score: 2) by FatPhil on Monday May 13 2019, @11:00AM (1 child)
I write my password down on a post-it note, and am so lazy I enter it using OCR via the webcam - is that something I know, or something I have.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @02:43AM
A written-down password is something you know, changing the medium doesn't change the original threat model reason for that authentication mode. If you are having a hard time with this, think of the TOTP token like an SSH key. The fact that you could theoretically remember all the parameters and a hundreds, if not thousands, of bits long pseudorandom number doesn't change the fact that it is supposed to be something you carry around in the proper form for authentication, as opposed to being locked in your memory.