![]() Once you forget your password, Google offers a few easy ways to recover your Google account using email and SMS verification. ![]() There may be a time when you might forget your Gmail/Google account password. Regardless of personal or work-related stuff, most of us depend on Gmail to get updates or to get some work done. Please don't write them down.Gmail has become one of the most used Google services for almost all Google account holders. If you insist on writing backup codes down, then consider this solution.īut my advice is, if you really must keep backup codes on "yourself", consider learning one (or two) per service and disabling the rest. Whether the keys can be easy-to-remember passphrases or not, you can only remember so many (and usually you get backup codes in batches of ten, and you can't write down the keys). Doing this requires you to generate and remember as many keys as you have passwords, which amounts to as much as remembering the passwords themselves. I (only partially) disagree with the answer advising to use a one-time pad for backup codes. With this being said, I don't think there is a best practice for this. There is no need to specify what service they are for, the most common and obvious are going to be tested and most probably the thief will be right. There is a very high chance these codes are for your GMail account, or your iCloud account, or your Amazon account. Do you carry your regular passwords in written form in your wallet? You should treat them as first-class passwords. Your account would be more secure if none of those backup passwords exist: they are the antithesis of why 2FA exists in the first place. ![]() After all, if backup codes exist, they become more valuable than your account's password. With this in mind, you should consider whether you want to keep them around at all. They are more powerful than the regular account password. They are essentially a backdoor through to your 2FA-secured account. Storing them on your person is a Bad Idea.īackup codes are bypass passwords. Therefore, any non-obvious key such as an easy-to-remember phrase or sentence can be used to encrypt the 2fa codes. While SHA-1 may not be perfectly uniform, SHA-1 is nearly-uniform and close enough to uniform that frequency analysis is not a feasible attack. Google Authenticator and other 2fa providers use a hash generated by SHA-1 to generate the 2fa codes which is the standard for HOTP (RFC4226) and TOTP (RFC6238). But in general, either the plaintext or the key need to be uniform. When using One-Time Pads (OTP) to encrypt a sentence, the key must be uniform to guard against frequency analysis. Therefore, you should use a different key for each account which negates one of the major benefits of this method: that you only have to memorize one key. Your 2fa backup code security is then only as good as the weakest account provider. While it is standard practice for account providers to rate-limit logins to help prevent brute-force attacks, some account providers may have worse protection than others and it should not be assumed that all account providers have adequate protection. One weakness of this is if you use the same key to use a One-Time Pad to encrypt all your 2fa backup codes and one of your codes gets brute-forced, the attacker can derive the key and then decrypt all your codes. Since the 2fa code's characters are nearly-uniform (all characters are equally likely to appear in each key position), you can use a non-uniform key such as an easy-to-remember phrase.Ī bonus to encrypting your codes is you can carry multiple copies of them (one in your suitcase, one in your wallet, one on a public URL) and not worry about them getting lost or stolen. Then you can easily decrypt them with a pen and paper as long as you remember the key. Use the One-Time Pad method to encrypt the codes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |