Reply to post:

Either my name, my password or my soul is invalid – but which?

EnviableOne Silver badge

Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.

IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.

However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!

password size limit is redundant, a hash comes out the same length no matter the input.

forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.

force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020