1
j0n4s
2y

Am i overthinking too much or are passwords like this

S9L4dk1i6sy5

Insecure?
This is an example generated by some website where i have activated 2fa and need to generate app passwords to access it from clients

I've thought about it many times to ask them to make it more secure but everytime i think i'm overrracting

Comments
  • 2
    why would it be insecure? Is it some sort of L33t code? if not than it's not bad as long as the passwords are stored properly

    Big letters, small letters and numbers are already 62 possible symbols per position, with 12 positions that's 62^12 combinations so 3,22*10^21 and unless it's just some sort of L33t code or similar alphabet word exchange, then dictionary and mutation attacks should be well negated. I mean sure, if you added special symbols it would be better, but since you also have 2FA then it's not that much of a problem. If the password is generated just for that service and you don't re-use it in other services, then practically even IF someone cracks that using some sort of clever technique, it's still secure, and the leak doesn't cause other services to be vulnerable

    or am I wrong?
  • 5
    Security is most of the time not a question of the password (unless it's _incredibly_ stupid)…
  • 3
    It depends on who or what you're securing it from. If it's just some random website with nothing valuable, it's probably fine.
  • 2
    Any passphrase is insecure. Any passphrase can be cracked. Question is: how much of an effort and $ do you think a hacker would like to invest in order to crack your password in that particular system.

    In other words, how useful is it to crack it.

    Personally, I'd add at least 1 mandatory spec character to the passphrase. It rules dict attacks useless and makes brute force unreasonably long.The hacker will prolly choose soc engg. instead of JTR, which, although more visible, is actually more productive and easier to carry out, than guessing the passphrase...
  • 1
    I just don’t know, I just slap uuidgen or OpenSSL rand hex generated values and follow the game …
  • 0
    @Hazarth it's either my own password and 2fa or only this app password. So after having this password no 2fa.
  • 0
    So in the end it would be way more secure not using 2fa which is very weird.

    I'm no person of interest i'm just a paranoid piece of shit
  • 0
  • 0
    @netikras with spec chars this password would feel way more secure to me and that's what i thought about often, telling them to at least add spec chars and maybe a tad longer.
  • 0
    @jonas-w not using 2FA more secure.... How do you come to this conclusion?

    2FA is usually safe, unless the communication is unsafe.

    E.g. SMS as 2FA provider, or an unencrypted / unprotected 2FA auth app
  • 0
    @IntrusionCM with 2fa activated i need to generate these passwords with way less entropy than my password to access it with my mail client. But with 2fa disabled i would only need my password with more entropy than these "app passwords"
  • 3
    @jonas-w woot.

    Wait.

    Just that I get it correctly ...

    Your email provider pregenerates an password for you when you activate 2 FA with no chance to change it?

    Please tell me I'm wrong, cause this sounds too incredibly stupid to be true.
  • 1
    @jonas-w The math of @Hazarth is right. Assuming an attacker against this specific mail service can try 10 000 passwords per second without any kind of lock out or brute force protection, and the password is correctly randomly generated, an attacker still requires some billion years on average to guess this password.
  • 3
    @IntrusionCM SMTP, POP3 and IMAP do not allow usable 2FA. While all of them do support Oauth2 (with possible 2FA in the webbrowser), it does not support it in a manner that it would work for arbitrary clients. Hence app passwords for those protocols are required.
  • 0
    @sbiewald Completely forgot this.

    Been using Protonmail since years....

    🤣🤣🤣

    Funny how you get so used to stuff that you completely blank out on such common knowledge.
  • 0
    @sbiewald exactly.

    The weird thing is i get some notifications that some ip's logged in using an app password but no mention of which of those app passwords were used to login.

    And that's why i thought maybe these app passwords are too insecure because these app passwords are only in my clip board. But probably these sign ins are from my mobile phone and geoip is not that reliable
  • 0
    it is now, because whoever find this, to crack a bunch of accounts now can associate this password and this password pattern with your name.

    Other than that it really doesnt matter, as long as it's not a known bad password (like known from breaches or whatever)
Add Comment