SN 965: Passkeys vs. 2FA

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

It amuses me that Steve suggests that people using no password manager are all using weak passwords because although you’re using a password manager to generate strong passwords; you’re probably using an easily memorable master password, As for email-only login, it’ll probably mean social engineering attacks increase
I suppose that, even if you’re using your own domain, a site could check the MX record, which would tell it if you’re using a forwarding service.
As for maximum password length, and you can correct me if I’m wrong, but SHA1 produces a 38-character string and I’m not sure of the bit length but wouldn’t that mean that, over a certain length, hash collisions become more likely?

If I understand your thinking, it’s wrong. A hash always produce the same length output, no matter the amount of input. The password length won’t make a collision any more likely… for the size of the hash, say 256 bits for SHA256, then the chance of a collision is ALWAYS 1:2^256 for every possible string.

2 Likes