Best practice on 2FA

Kakkoister2
Kakkoister2
Community Member
edited May 2021 in Lounge

Hi,

I was wondering what is the best practice view on 2FA? Right now, I only use 2FA from a few websites for say financials. As my view right now is since the password generator makes the passwords for me. I always use random and the max limit. I would say in a way that is 2FA as only the password generator made the password, then I erase it after saving. As 2FA with a phone number, just has never seemed super secure to me, even though it's used so much. It seems impossible for someone to ever know the password without getting it from the info in 1Password. Would you agree? What's everyone's opinions on 2FA?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @tomatoshadow2!

    It seems impossible for someone to ever know the password without getting it from the info in 1Password.

    2FA is important for your online accounts, even if you use secure passwords. There are unfortunately regular breaches of websites online, so your credentials can be exposed even if they are not taken out of 1Password. Should that happen, of course you should change your passwords, but 2FA would give you an additional layer of protection.

    As 2FA with a phone number, just has never seemed super secure to me, even though it's used so much.

    2FA with a phone number is not secure, but 2FA with an authenticator app is a different matter, it's more secure :+1:

  • [Deleted User]
    [Deleted User]
    Community Member

    @tomatoshadow2 The security threat is contiuously evolving and, as @ag_ana says, websites are regularly being breached. So I always use the strongest 2FA that is available.
    If SMS text is the only option then I use that, as long as the website doesn't allow password reset by SMS text. If an authenticator app is an option then I use that and remove my phone number. If YubiKeys are supported then I use them and keep the authenticator app as a backup.

  • Kakkoister2
    Kakkoister2
    Community Member
    edited May 2021

    @ag_ana Yes good point, it's always the worry of a website. Yes, that's been another thing, even with a strong generated password, websites still send out about regular changing. I don't understand that, as I know from many of you at 1Password, that's not really a best practice anymore, but companies still enforce it haha. Right, it's a shame some 2FA apps have little acceptance, to me it shouldn't matter the 2fA it should just work.

    @missingbits Right, that's what's frustrating, not all websites offer it, I can name a few popular ones that don't and that's just mind blowing to me in today's age. Good on removing your phone number where it's not needed. You see so many people give away their phone number to services, without knowing what it's going to be used for. For me also, I guess when the info is out there from a breach, it's practically impossible to clean it up.

  • ag_ana
    ag_ana
    1Password Alumni

    @tomatoshadow2:

    I don't understand that, as I know from many of you at 1Password, that's not really a best practice anymore, but companies still enforce it haha.

    When it comes to passwords, my experience is that it takes a while for websites and standards to update based on best practices I am afraid. As an example, just look at how many websites have weird password requirements which do not improve security at all. Password changes is another example, as you said.

  • Kakkoister2
    Kakkoister2
    Community Member

    @ag_ana Right, I bet for you there are so many times, where you you just shake your head on what practices websites use. Yes for example Bank A, only lets you have an eight character password, Bank B, let's you have a max of a 40 character one, wth haha. Yes, by using 1Password and having all my passwords randomly generated for me, I've never understood the mandatory change, I imagine more for the people, who are missing out on the great benefits of 1Password and or a password manager in general.

  • ag_ana
    ag_ana
    1Password Alumni
    edited May 2021

    @tomatoshadow2:

    I imagine more for the people, who are missing out on the great benefits of 1Password and or a password manager in general.

    That would be part of it for sure. If you create passwords manually, it's possible that those are not very good. But if you start with a long random password right away, it really doesn't make a lot of sense to keep changing them with other long random passwords, unless you know they have been compromised somehow, so they really need to be changed.

  • Kakkoister2
    Kakkoister2
    Community Member

    @ag_ana Yes this is a great point, I think especially when people are missing out on 1Password, they get lazy creating passwords, so I think having to be prompted to change them so much, will make people only edit them a bit so they can remember.

  • ag_ana
    ag_ana
    1Password Alumni

    will make people only edit them a bit so they can remember.

    Exactly this @tomatoshadow2 :+1:

  • kram5819
    kram5819
    Community Member

    My passwords all look like this

    @!!q2q4456%$_ms3EW@!gbg^^%ds
    so good luck cracking them haaha

  • :+1: :)

    Ben

  • Kakkoister2
    Kakkoister2
    Community Member

    @ag_ana If I can make a 128 password for a website, am I gaining much, over a 50?

  • ag_ana
    ag_ana
    1Password Alumni

    @tomatoshadow2:

    I think you gain a lot more if you go from a 10 character password to a 50 character password, than going from a 50 character password to a 128 character password. It is obviously much better, the longer the password is, but 50 characters is already a very strong one. So I would not change it on purpose just to extend the length (but it also depends on what website this is).

    I personally always create the maximum length of passwords that the website accepts, since I don't have to worry about remembering them anyway ;)

  • Kakkoister2
    Kakkoister2
    Community Member

    @ag_ana Right, yes, is this one of the main reasons why 1Password in the browser only goes up to 50? Yes that was my thinking why I would go back and change it to the max allowed. But, since you stated not gaining much, no need. Yes haha 1Password is the motto of set it and forget it, because it will remember it.

  • ag_ana
    ag_ana
    1Password Alumni

    @tomatoshadow2:

    I think that's one of the reasons yes, it's a matter of diminishing returns. I know though that there are efforts to bring feature parity to each 1Password client, extension included, so it's possible that in the future there will be no differences in the password generator.

This discussion has been closed.