Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I really hope other services start offering it as a feature.

Namecheap, I'm looking at you. DNS web apps are a huge possible attack vector.

Also, RE the Google one time use passwords for POP/IMAP. They are all lower case, alpha/numeric, and 8 chars long.

How secure are they against brute force? Why wouldn't Google offer 16 char options, or even longer? Is 8 good enough?



I make it 4 blocks of 4 random alphanumerics each, which is a pretty big search space.


I'm getting 16 character app specific passwords having just turned it on on one of my Google Accounts (all lowercase alpha though).


the application specific passwords are 16 characters long. Four blocks of four lowercase characters.

I too would rather them be longer, and involve at least some numbers if not specials... but they're not THAT short.


Really? I was sure it was only 8 when I went through the process 2 weeks ago. 2 lots of 4.

Time to go and generate some new passwords!


Hmmm... I generated a batch about 2 months ago and another batch last week. In both cases, they were of the form

    llll llll llll llll
(l: [a-z])


Happy to stand corrected. My apologies all round.

Thanks everyone!


They've been 16 chars for at least several months.


> Is 8 good enough?

Depends on how good their intrusion detection is.


> Namecheap, I'm looking at you. DNS web apps are a huge possible attack vector.

The least they could do if offer IP whitelisting like Linode does.


Doesn't help if they target your provider:

  http://slashdot.org/story/12/03/02/0059202/linode-exploit-caused-theft-of-thousands-of-bitcoins




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: