stan via devel wrote: > e.g. What is your favorite food? Jamaica. Acceptable for human-to-human interaction, but falls quickly to a dictionary attack if verification is automated. > or What was your team's name in high school? 0126672651361 43 bits of entropy if all the digits are random; decent strength but not great. > I suppose it could be a passphrase, but this is easier to cut and > paste. We're talking about a backup secret. You're not supposed to use it every day. It's not a problem if it takes a few seconds to copy it the one time you actually need it. That said, if you don't want spaces in your passphrase, then just write it without spaces: What is your favorite food? sleepyarsenicblimpswithgranitechipsandlewdPCB > How about everyone has two logins, and they have to log in with > different logins from the same device, using different passwords. They > then are considered to be authenticated. That uses the existing > infrastructure of password managers to keep passwords secure, and just > requires two logins on the site being logged into; should be easy > enough. Less secure than a real second factor, but more secure than a > single password. I suppose if we consider that too much trouble, just > add a second password to the single login everywhere. Even less secure > than the two login method, though. Requiring two passwords might somewhat mitigate the problem of naive users believing that a word like "Jamaica" is useful as a password – if it's checked server-side that the two passwords are not similar – but it's not two-factor authentication if both passwords are stored in the same password manager. I'm not going to speculate on how you mean that "two logins" would differ from two passwords. Björn Persson
Attachment:
pgppFTI2ugdII.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
