16

I've recently enabled 2-factor auth on a number of web apps, mostly using Google Authenticator. Does this mean that the importance of a strong password on each site is reduced? I would prefer to use passwords that are easy to type on a mobile device, if that doesn't compromise security too much.

EDIT

My particular need for wanting to shorten/simplify passwords is about the time it takes to enter punctuation on a tablet/phone - 3 taps (, !, ), and 2 for a capital letter. From these answers, I'm thinking a better approach would be a longer password consisting only of lowercase and numbers, possibly with repeated letters. (Jamming 'kkkkk' on the end of a password would probably make it a fair bit stronger, while being very quick to enter.)

[note: I originally posted this to Superuser as the blurb for this site says it's for "information security professionals"]

Steve Bennett
  • 313
  • 2
  • 7
  • What does your security on your google account have to do with the security on another website have to do with one another? Long passwords are to avoid the brute force attack – Ramhound Jan 29 '14 at 12:16
  • 2
    keep in mind, the very device you are trying to type your short easy passwords on is also the one getting the 2FA notifications, so if someone has your phone, a strong password is the only remaining barrier to them accessing your accounts. 2Fa helps nothing if you are logging into whatever service via your mobile. The system was designed so that you as a PC user, must know something (your password), and have something (your phone) in order to login. logging in from your phone just reduces that to one thing again. – Frank Thomas Jan 29 '14 at 13:40
  • I've been meaning to ask this one for awhile. It's especially good to know for some 2FA systems which *require* a short password (i.e.: bank cards with 4-digit PINs). – Iszi Jan 29 '14 at 15:04

4 Answers4

20

Mostly, two-factor authentication reduces the need for strong passwords in the same way as safety belts in cars reduce the need for efficient brakes. When you drive your car, your probability to be killed during a given journey is the probability of your having an accident, multiplied by the probability of your being killed when an accident occurs. Good brakes reduce the first probability, while the safety belt reduces the second probability. For a given target probability of dying, if you enhance the safety belt (e.g. by fastening it, compared to not fastening it), then you can tolerate less effective braking.

The relationship between the authentication factors is somewhat similar. You use 2FA so that the failure of one factor does not grant access to attackers. So if a password is one factor, then the second factor can save your skin if the password turned out to be weak.

An extreme example is a smart card: most banking cards use a 4-digit PIN code, which, for a password, is pathetically weak. However, the card will lock itself after 3 bad PIN codes, making such poor passwords tolerable. The "second factor" here is physical ownership of the card: attackers cannot try PIN codes without having the card in hand and talking to the card, under the scope of the 3-bad-codes rule.

Ultimately, the choice is up to you, based on a risk analysis. Personally, I fasten my seatbelt and I keep my brakes in good conditions; meaning that when I use 2FA, this is not to allow the use of poor passwords at an unchanged risk level, but to complement good passwords for a much lowered risk level.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Ok, I get your analogy, but, for argument's sake: there's basically two ways to defeate the 2nd factor. Either have my phone (in which case there are probably all sorts of ways of extracting the passwords out of it), or guess the 6 digit generated code - a 1 in a million shot. Next question: which would be preferable, when using two-factor: a short but unique primary, or long primary used across most of the sites? – Steve Bennett Jan 30 '14 at 08:50
  • I think your analogy is somewhat flawed. The failures of the factors should not be viewed as independent events. If one factor has failed it has failed and an attacker could focus on breaking the second factor. I think it's more of additive than multiplicative effort. – skyking Sep 06 '20 at 10:43
8

It's a very subjective notion, and answers to this will be largely opinion based. The answer is basically: Kinda.

To expand:

  • 2FA does significantly increase the time taken to penetrate a system, so one view would be that you could reduce the quality of any password, so long as you have, overall, still increased the difficulty of getting in.
  • Another, IMO equally valid view, is that because 2FA doesn't make logging in siginificantly more difficult or complicated, decreasing the quality of a password, when you are already accustomed to using passwords, would be foolish, because it's a decrease in security you don't need to make.
  • Bear in mind that most 2FA systems will need a backup system to use if the 2FA token generator, be it a phone, keyfob or whatever, is not working. Google, for instance, can text another phone, or use single use back up codes. If that's the case, then having a good password is a useful extra factor of protection, given that you don't have to use the 2FA.

Overall, I'd say that you should still use a good password, to guard against any vulnerabilities that emerge in the 2FA, or in the rest of the system as a whole.

Owen
  • 1,066
  • 5
  • 9
  • *decreasing the quality of a password, when you are already accustomed to using passwords, would be foolish* - the time to enter a 2FA password just went up a lot, so there's definitely logic in reducing the length/complexity of the primary to compensate. – Steve Bennett Jan 30 '14 at 08:51
  • The time went up a lot? I don't follow. It maybe takes me 3-5 seconds longer to login to a 2FA protected account. Unless I've missed you meaning, I think I disagree. – Owen Jan 30 '14 at 11:28
  • I think the best way I could view this alleged logic is that 2FA will help improve situations in a world where users use crap passwords. It would still be better if they used good ones. – Owen Jan 30 '14 at 11:29
  • Pull out phone, run authenticator, scroll to the right entry, read the number, type it in -> much more than 3-5 seconds. – Steve Bennett Jan 31 '14 at 00:00
  • 1
    Assuming that you're right about how much time 2FA adds, can you plausibly save the same amount of time by simplifying a password? I expect even if you can make you password a five letter word, it wouldn't save much more than a couple of seconds. Overall it doesn't seem like 2FA is really causing a problem, even if you use it multiple times daily. – Owen Jan 31 '14 at 12:29
2

It depends on the attack you are worried about, but not really. An offline attack against the password hash will be no more secure since the second factor is not a component of checking the hash. On the other hand, it does effectively prevent online attacks, but online attacks could be effectively prevented by a simple limit to the number of attempts before locking the account.

Thus, the only attack that SHOULD be effective against even a weak password is an offline attack since online methods should not allow guessing and for an offline attack, the second factor does nothing to prevent compromise of the password.

Additionally scary, if the hash table is compromised for an offline attack, there is also a reasonable chance that HOTP and TOTP devices are also likely to be compromised since the keys may leak from that same table. If you have a secure password, you would still be offered some level of protection since the hash would be of limited value to the attacker, but a weak password would rapidly be broken and the attacker could access your account.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
-1

Ok.No, Two step verification most certainly does not reduce the need for a long password.You should keep your password long and use numbers, letters, CAPITAL LETTERS and punctuations.Just because you have two step verification does not mean that it has made it safe enough to prevent hyjacking.You should also change your password frequently.

user38175
  • 1
  • 2
    While this guidance may be required in some circumstances, and is broadly useful, blanket statements like this don't help. In some cases 2FA does reduce the need for a long password. And please read the questions already on here regarding frequent password changes: http://security.stackexchange.com/q/34985/485 – Rory Alsop Jan 30 '14 at 10:19
  • I guess Chrome and google got it wrong.They are the ones I got my info from . They even did a small video pushing the use of long passwords while using 2 step verification.Mabe someone should explain to Googlė/Chrome that they are wrong under the circumstances. – user38175 Jan 31 '14 at 18:08
  • 1
    @user38175 where is that video? – cellepo Nov 24 '18 at 04:53