5

I discovered that some applications (like Sylpheed) seems unable to support two factor authentication.

Google has a feature called application passwords - a separate password that "grants complete access to your Google Account".

Maybe I am missing something, but it seems to completely negate any benefits from enabling two factor authentication. Attacker again needs only to break a password.

Is it sensible to enable two factor authentication and then create a separate password that bypasses it?

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
reducing activity
  • 181
  • 10
  • 2
    The point with app passwords, is that you can control each one individually. If you fear one of your app passwords is compromised, you can simply revoke it. – Boris the Spider Jan 18 '15 at 13:00

1 Answers1

4

Google's application password is computer-generated, and so likely to be much stronger than a human-generated password. That is OK because the generated password is stored by the device, not memorized by a human. Google's application passwords appear to be 16 lowercase letters. That gives 4x1022 combinations. An attacker who can try ten billion combinations per second would need about a year and three months to test all possible combinations. On the average, such an attacker would "hit" on the correct password in seven months.

Application passwords are intended only for devices to which two-factor authentication is not applicable. Remember, the three properties of information security are confidentiality, integrity, and availability. When you use an application password, you accept a notional decrease in confidentiality and integrity for a very real increase in availability; without the application password, you wouldn't be able to use your Google account at all on certain devices because the application wasn't designed for two-factor security. As Boris the Spider has already pointed out, you use these on a per-device basis. If my iPhone is stolen or lost, I can revoke the password. Presumably remote-wiping a lost device would delete the application password as well.

Finally, good security requires layered protection. If you are worried that, say, the government of Elbonia (or maybe the NSA) is trying to crack your Gmail, not only would you change the application password every month or so, you'd use something like GPG to encrypt your communications so that even a compromise of your Gmail account wouldn't compromise the contents of the messages.

Community
  • 1
Bob Brown
  • 5,293
  • 1
  • 19
  • 28
  • 1
    You say "the" password but you can create multiple app-specific passwords. And, yes, someone targeting you specifically it might be like climbing Everest. But if foreign hackers are running a constant stream of random password guesses at random accounts, it seems plausible that they could get some hits eventually. Then they have the keys to the kingdom for that account. My wish is that google would at least allow you to make these app-specific passwords _more_ secure. – ryvantage Jan 05 '21 at 04:51