First, let’s analyze the “leet”-style password (for more information on leet or leetspeak, take a look at this article from Wikipedia). While this may seem like a fantastic way to obscure a standard password, hackers have been programming cracking applications to recognize most character substitutions for many years. Even combining a word or two with character substitution methods (leetpassword can become 1337p@55W0rd, for example) to help increase the security is not enough because as computing systems become more and more powerful, the quantity of combinations that they can process per second is increasing dramatically!
So what is two factor authentication (TFA or 2FA)? 2FA is a way of securing a system with more than one token. For example, when you take money out of an ATM, you’re required to have your debit card and the PIN. Without both of these factors, the easiest way to get money out of the ATM might require some heavy duty power tools.
Many email and bank accounts use 2FA by requiring you to first enter your password in the internet browser, then you receive an SMS on your phone with a code. You then use that code as the final means to get into your account. This creates a new level of security because a hacker must both figure out your password, and have access to your text messages, which is unlikely.
However, SMS is not as secure as you think. What if someone was able to get access to your mobile phone account? Of course someone could physically steal your phone, but that is not always a requirement. Check this video out, specifically the section from 2:00 to 4:00. (Warning: mild language)
In that portion of the video, we see a social engineer hacker gain complete access to someone’s cell phone account by a phone call. A skilled hacker could easily gain access to SMS messages from there. Aside from social engineering, SMS messages also have other known vulnerabilities that skilled hackers could easily utilize to gain the information in a text that was not intended for them.
Although these vulnerabilities exist, this does not mean that 2FA is unsafe. Many companies have switched to using a form of 2FA that requires an app to be installed your phone. The app and the company’s servers are simultaneously generating the same codes and the code changes every 30 seconds. Even if the code was found out, someone would only have 30 seconds to do any damage. One example of an app-based 2FA is Google’s “Authenticator”.
The following image shows Google’s 2FA app called “Authenticator” with sensitive information marked out.
The following image shows a screen shot of a website accepting Google’s “Authenticator” 2FA data.
In order to gain access to an Authenticator-enabled 2FA site, the user would refer to the app screen to retrieve the Authenticator code and to determine if there is time remaining to enter the code before it changes. The clock to the right of the code indicates how much time remains until the code changes. As you can see from the app image, other websites are partners with Google to use their Authenticator data to protect user accounts. Other than Google and Dropbox, sites that use the Google Authenticator app include (as of a 2013 article): LastPass, Facebook, Evernote, Amazon, WordPress, and DreamHost, to name a few.
So to answer the initial question, yes–2FA can be safer, but it depends on how you access the 2FA code. An app-based 2FA generator is going to provide a more secure code than an SMS-generated 2FA code.
1. Calculate the number of possible combinations of “leet”-style password letter combinations for a
four-letter word, a six-letter word, an eight-letter word, and a 12-letter word.
a. 26 letters per case (upper and lower case)
b. 10 digits 0-9
c. Assume 20 “special characters” like @, #, $, %, etc.
d. 82 characters per letter
e. 82^n combinations where n is the number of letters in your password
2. Assume a hacker’s computer can test 100,000 combinations per second. How much time would it
take to test ALL of the possible combinations in a four-letter password? A six-letter password? An
eight-letter password? A 12-letter password?
a. 82^4 is 45 million possible combinations. That would take approximately eight
minutes to break at 100,000 combinations per second.
b. 82^6 is 304 billion possible combinations. That would take just over five weeks to
break at 100,000 combinations per second.
c. 82^8 is 2 quadrillion possible combinations (2 with 15 zeros). That would take 650
years to break at 100,000 combinations per second.
d. 82^12 is 92 sextillion possible combinations (92 with 21 zeros). That would take 29
billion years to break at 100,000 combinations per second.
3. If Google’s two-factor authentication app “Authenticator” changes 6-digit numbers every 30
seconds, how many possible combinations of passwords are generated every 30 seconds?
a. 10 digits 0-9
b. 10^n combinations where n is the number of digits in the password
4. Based on the calculations above, how is it possible that 2FA is more reliable than a 12-character
a. First, how many people use full “leet”-style passwords all the way out to 12
characters? Not many.
b. Second, 2FA uses six-digit numbers, but it is a second level of protection that is
enabled behind user-generated passwords. Even if the six-digit number is cracked,
it’s useless until the password is first cracked – and both have to be cracked within
30 seconds or the Authenticator app will generate another set of digits.