Is it safe to use a weak password as long as I have two-factor authentication?

Question

I'm careful to use strong passwords (according to How Big is Your Haystack, my passwords would take a massive cracking array 1.5 million centuries to crack), I don't reuse passwords across sites, and I use two-factor authentication where it's available.

But typing in those passwords all the time is a real hassle, especially on a phone or tablet. A friend recently asked why I don't just use a relatively weak password for sites like Gmail where I have two-factor authentication enabled, and I didn't really have a good answer. Even if someone brute-forced my password, they'd still need to be in physical possession of my phone to get in.

So: Is it safe to weaken my Gmail password for my own convenience? Or is there a realistic scenario that I'm not taking into consideration?

Clarification: I'm not talking about using a trivial password (e.g. "a") - no site will let me do that anyway. I'm talking about going from a 16-character password with a search space on the order of 10³⁰ to an 8-character password with a search space on the order of 10¹⁴.

Added the *trust* tag as when lowering password entropy one must trust the other factor significantly more than the password. IMO this is a trust issue. If you trust that only you have access to your phone at all time and is the only one to successfully authenticate to it (if it is protected), you may argue that the phone is a security mechanism much better than the password. However, if your password is 'A' and someone did actually get hold of your phone, you might think otherwise. — Henning Klevjer, Nov 11 '12 at 10:19
Side-note 1: If you ever enter the password on the same device you use for two-factor-auth, it degrades to one-factor-auth. — CodesInChaos, Nov 11 '12 at 10:34
Side-note 2: That website does not give you good estimates for password strength. It typically vastly overestimates the strength of a password. Read the notes at the bottom of the page. — CodesInChaos, Nov 11 '12 at 10:37
@CodesInChaos - Can you explain your point about using the same device? Seems to me that someone would still have to (a) know my password and (b) be in possession of my device in order to gain access. — Herb Caudill, Nov 11 '12 at 16:28
Somebody just needs to compromize a single device(Put a trojan on your device). So it's a single point of failure. — CodesInChaos, Nov 11 '12 at 16:31
@CodesInChaos - So just to make sure I understand the scenario: Without physical possession of my phone, Chuck puts a trojan on my phone that reports both my Google password and the verification messages I get back from Google. Chuck then immediately uses both of those to gain access to my account. Do I have that right? I would have thought that the 6-digit code Google issues is only valid for the IP address and/or physical device I'm trying to log in from. — Herb Caudill, Nov 11 '12 at 16:39
And, more specifically, is it even possible for such a trojan to install and successfully access that information on a non-jailbroken iPhone? — Herb Caudill, Nov 11 '12 at 16:41
@HerbCaudill Recently, Safari browser had holes that allowed malicious websites to inject code that pulled user data off of non-jailbroken phones. — schroeder, Nov 14 '12 at 23:54
"But typing in those passwords all the time is a real hassle, especially on a phone or tablet" Password managers to the rescue! — JAB, Mar 06 '18 at 00:22

score 25 · Accepted Answer · answered Nov 14 '12 at 22:01

Specifically for Google, if you use two-factor authentication it is safe to "weaken" your password "from a 16-character password with a search space on the order of 10³⁰ to an 8-character password with a search space on the order of 10¹⁴" as long as you use a good 8-character password (i.e. completely random and not re-used across sites).

The strength of two-factor authentication lies in the assumption that the two factors require different kinds of attack and it is unlikely that a single attacker would perform both kinds of attacks on a single target. To answer your question we need to analyze what attacks are possible on weaker passwords compared to stronger passwords and how likely it is that someone who is able to attack weaker passwords but not longer passwords will attack the second authentication factor.

Now the security delta between "a 16-character password with a search space on the order of 10³⁰" and "an 8-character password with a search space on the order of 10¹⁴" isn't as large as you may think - there aren't that many attacks that the weaker password is susceptible to but the stronger one isn't. Re-using passwords is dangerous regardless of the password length. The same is true for MITM, key loggers and most other common attacks on passwords.

The kind of attacks in which the password length is meaningful are dictionary attacks - i.e. attacks in which the attacker does an exhaustive search for your password in a dictionary. Trying all possible passwords in the login screen is obviously not feasible for a search space of 10¹⁴, but if an attacker obtains a hash of your password then it may be feasible to check this hash for a search space of 10¹⁴ but not for a search space of 10³⁰.

Here is where the fact that you've specified Google in your question is important. Google are serious about password security and do what it takes to keep your hashed passwords secure. This includes protecting the servers on which the hashed passwords reside and using salt, pepper and key stretching to thwart a hacker who has somehow managed to get the hashed passwords.

If an attacker has succeeded in circumventing all the above, i.e. is able to obtain Google's database of salts and hashed passwords and is able to obtain the secret pepper and is able to do an exhaustive search with key stretching on a search space of 10¹⁴, then unless you're the director of the CIA that attacker won't be wasting any time on hacking your phone to bypass the second authentication factor - they will be too busy hacking the hundreds of millions of Gmail accounts that don't use two-factor authentication. Such a hacker isn't someone targeting you specifically - it's someone targeting the whole world.

If your data is so valuable that such a powerful hacker would target you specifically then you really shouldn't be putting your data in Gmail in the first place. For that matter you shouldn't be putting it on any computer that is connected to the Internet.

score 17 · Answer 2 · answered Nov 10 '12 at 22:19

A weak password + two-factor authentication might still be safer than a strong password alone but it will be less safe than a strong password + two-factor authentication.

It all depends on how weak you go: if you go all the way and make the password trivial you effectively end up with one-factor authentication (the Google text message to your phone). But this might still be more safe than your original strong password.

score 3 · Answer 3 · answered Nov 14 '12 at 22:36

First of all the fundamental concept of TFA: - something the user knows (the password you are using) - something the user has (in case of google this is your phone: they send you verification code on the phonenumber, you have provided)

First of you have to understand that judging by what you said:

But typing in those passwords all the time is a real hassle, especially on a phone or tablet.

this means that a lot of time you are using gmail from your phone, so if I have stolen/or taken your phone for some time - your TFA became just OFA with your password. I will tell you even more, that in some countries if you have connections to people who are working in mobile companies and have appropriate access - they can just issue a person your phone number. Another thing is that the attacker can intercept the authentication process, by which I mean that an attacker can just take your phone right when you suppose to get a message. After having this paranoiac I will start from another way

Just think for a little bit - TFA was used long time ago and used right now with millions of customers every day, with the space of 10000 (4 digits number). This is your bank card. How often was your card misused during your whole life? I assume not a lot. And I am pretty sure that most people would rather choose to get your money than to read your email.

Another point - google is not the worst company and they really make sure your data is secure (if someone prove them not - they will loose to their competitors who will make sure). So I am pretty sure they handle everything in a correct way and the point why they implemented TFA is to leverage low passwords.

This brings us to one of the most important issue in security: your security measures must be appropriate for the type of information you are trying to keep secret. Whenever I hear something like: "I use 40 digits password to access my weather forecast for tomorrow" my question is Why, I will use just 123 as a password? What will happen if I will get it - you will just create another account. So what is the point. Of course this is exaggeration.

But if you think that your correspondence is so important that someone will still your phone and will brute-force 16-characters to get it - most probably gmail is not good for you, as well as most probably that walking on the street without bodyguard as well.

score 2 · Answer 4 · edited Mar 05 '18 at 21:33

You've structured your question as its own answer.

Can you relax? Yes. Deploying a second factor adds security.

I'd be willing to bet my next week's pay that if you add 2Factor and drop your password from 32 to 31 characters, you haven't dropped security by any appreciable margin. I'm not willing to make the same bet if you drop the length of the password to 2 characters. Where is the boundary? How many characters is 2F worth? That's the question I want answered.

The relevant question is how much can you relax? How resilient are each of the mitigations? How independent? Those are the money questions.

score 1 · Answer 5 · answered Nov 10 '12 at 19:12

Well it's about personal preference. Gmail didn't introduce 2-step authentication, so that people can use weak passwords. It's there just as an added layer of security. Although there's very rare chance of getting into trouble with a weak password with 2 step verification. There're a list of backup codes and application-specific passwords, in case the user cant access their phone. But still I'd have used strong password, although not the one which takes millions of centuries to brute force, 20-30 years are enough for me. ;)

I'm asking a technical question, not a personal-preference question. What I'd like to hear is a plausible scenario where a weak password could get me into trouble in spite of 2SA. — , Nov 10 '12 at 20:31

score 1 · Answer 6 · answered Nov 11 '12 at 14:03

1

Yes indeed, don´t make the password too easy however, such that you basically end up with one factor authentication (i.e., the token).

answered Nov 11 '12 at 14:03

green

21
1

score 1 · Answer 7 · answered Nov 15 '12 at 14:14

The vulnerability in these two-stage password schemes is the delivery channel, i.e. wireless providers, SMS routing networks, your phone. Any of those could be attacked to intercept the one-time password sent by Google.

But attacks against accounts are rarely strictly technical, and almost always involve gaming some human somewhere in the chain.

As good as Google's system is, Wired is running an article describing an attack that nullifies its protections entirely.

Attackers impersonated a wireless account holder to add a forwarding number to the account, then selected the 'call me' option to have the code delivered, instead of SMS. When Google called with the OTP, the call was forwarded to the attacker's phone and they gained access to the Google account.

This is interesting - I've bookmarked the Wired article to read - but is an answer to a different question. I wasn't really asking whether 2FA is invulnerable, but whether I can relax a bit about the crackability of my password if I'm using 2FA. — Herb Caudill, Nov 15 '12 at 17:14

score 1 · Answer 8 · answered Nov 16 '12 at 16:01

It's definitely a question of trust as Henning points out, but there is one important factor to add:

If the two way authentication is based on a mobile tan, then that adds only an additional layer of security really if the site isn't accessed by the phone. Else even though it's two layers, it's really just one. Weakening one is hence not a good idea.

Edit: just saw that CodesinChaos already posted this answer.

score 1 · Answer 9 · answered Nov 17 '12 at 22:32

1

If you don't want to type your password each time you can use a password manager like Keepass wich has an auto-type feature. Now all my password are differents and at least 20 randoms characters.

answered Nov 17 '12 at 22:32

null

1,193
6
16

score 1 · Answer 10 · answered Nov 19 '12 at 21:16

Gmail and Dropbox use OTP (one-time-password) as the second factor delivered to a mobile phone or calculated on a device that you own - 'what you have'. This is much more secure than a remembered password - 'what you know'.

As you point out, the only scenario is: 1. What you have - mobile phone or fob that generates or receives the OTP - is lost or stolen. 2. The weak password - what you know - is guessed or brute-forced in N attempts 3. The OTP generator and/or the login mechanism does not deny access before N attempts.

As an example, one of my clients has remote VPN access - with the logon id being the email (very easy to guess), and password that is composed of 4-digit PIN concatenated with a 6-digit OTP. If my phone with the OTP generator were to be stolen, the thief would need to guess the 4-digit PIN. If the remote access times out after 5 or 6 attempts, the math says that it would be pretty secure.

This mechanism would be exactly equivalent to a PIN on your phone that no one knows. If you are using Gmail for Apps or Exchange, you may want to enforce a PIN policy on your mobile phone, denying access to the OTP text message or generator.

Conclusion: weak password (at least 4 chars/digits) and OTP (two-factor token of 6 digis) would provide more protection against brute-force than just a strong password of 10 digits. However, this would not be effective in the condition that the weak password can be socially guessed by someone who can also have access to your mobile phone or FOB that is not protectd with a PIN. i.e. a malicious friend who knows your date of birth (weak password) and also has access to your unprotected mobile phone.

MITM is always a risk for the first factor(password) as it has a relatively long life, mitigated by TLS (SSL). — Akber Choudhry, Nov 20 '12 at 12:28

Tobias Kienzler · Answer 11 · 2013-02-21T09:35:23.260

You could use Keepass instead, which has been ported to various mobile devices. Set it up so that you only have to enter a strong (or weaker, since the database is local) password once a while and have it auto-insert the strong passwords to e.g. gmail.

If your device happens to support USB-A keyboards, you could even consider using a Yubikey (nano) with a static password (or in its default OTP mode, e.g. linked to LastPass). Then your only inconvenience (and yet safety) would be pushing the small button on it.

edit Since the Yubikey NEO has NFC support, you can also use it on the respective phones. I found some instructions on using that with LastPass here

Is it safe to use a weak password as long as I have two-factor authentication?

11 Answers11

Linked

Related