User:RexxS/2FA

This is an essay. It contains the advice or opinions of one or more Wikipedia contributors. This page is not an encyclopedia article, nor is it one of Wikipedia's policies or guidelines, as it has not been thoroughly vetted by the community. Some essays represent widespread norms; others only represent minority viewpoints.

Two factor authorisation

Two factor authorisation in its simplest terms means that when I log on to Wikipedia, in addition to my password, I would also have to supply a second code generated on my mobile phone.

Is this a good idea?

It's only a small inconvenience when logging on, so that's not a problem. The real problem comes if you ever lose your mobile phone because your access to your account is tied to that device.

What's the problem?

The current implementation for MediaWiki allows you to copy down a series of "scratch" codes that are generated when you set up 2FA, and those can be used to regain access to your account. However, that's going to be a lot of hassle and it means that your access to your account is now out of your hands.

Is that likely?

Unfortunately, yes. Dropping a mobile phone can break it. Simply leaving it somewhere has happened to several people I know, and I bet you have the same experience. The statistic for theft is that around half a million people in the UK have their mobile phones stolen each year (out of a total UK ownership of around 40 million). That's not good odds in my opinion, and I'd rather take steps to improve those odds while keeping the risk within my own control.

Can we improve the odds?

I believe we can. It's quite possible to create a "password" that would take longer than the heat death of the universe to crack, given current technology. If we're happy to drop the time to crack it down to a few centuries, we can have something that's easily memorable as well. The key is length. That's it. Nothing more is needed: no fancy symbols; no 133t character replacements; no gobbledegook strings. Just make up a nice simple sentence containing 8 or 9 words. Make at least one of the words something unusual. The good thing about unusual words is that they are easy to remember and make the size of the dictionary needed for a usable dictionary attack much larger. If you can work in a big number and maybe some punctuation as well, you're well on your way to making what is, to all intents and purposes, an uncrackable password that's easy for you to remember.

Is there a downside?

Yes, it takes longer to log in when you have to type 30+ characters. You'll cope with it.

Anything else?

Yes. Make sure you never reuse your "password" (should really call it a pass-phrase) anywhere else. Keep your PC security up, because the easiest way of getting your password now is for a hacker to install a key-logger on your computer.

The maths

The time to crack a password is directly related to the number of combinations that could make up a password. For a "brute force" attack, the cracker has to test every possible character in every possible position, so for example, using 8 alphanumeric characters (62 of them, upper- and lower-case letters plus digits) would give 62^8 combinations, which is around 2 x 10^14. Using all the basic printable ASCII characters (95 of them) with a length of 8 characters would give 95^8 combinations, which is around 6 x 10^15. That's a 30-fold increase at the cost of having to remember symbols as well as letters and numbers. On the other hand, using just letters and numbers (62 of them) with a length of 10 characters gives over 8 x 10^17 combinations. Adding a couple of extra characters improves the strength by a factor of 4,000 and so is much more valuable in strengthening passwords than insisting on using "special characters", whose main effect is to make passwords far more difficult to remember.

According to https://keithieopia.com/post/2017-12-13-passwd-crack-time/ a 9-character alphanumeric password can be cracked nowadays in around 2 minutes. A 10-character one in 2 hours. You need 13 characters to get to 64 years. If the cracker tries to brute-force a 30 character pass-phrase, they are looking at whiling away 2 x 10^32 years. Good luck with that.

A dictionary attack is used against pass-phrases. The idea is to have a dictionary of, let's say, 8,000 words which will contain every word you used in your pass-phrase. You then only need to try 8,000 possibilities for each word. So 5 words gives 8,000^5 = 3 x 10^19 combinations. That currently will take about 8 years to crack. Go with my recommendation of 8 words and your safety extends to something like 4,000 billion years. Should be okay. It becomes even better if you've got an unusual word not in their dictionary.

Further reading

• Digital Identity Guidelines - NIST
• NIST’s new password rules