Comment by ulrikrasmussen
5 hours ago
Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets. Also phishing attacks tricking users into entering their passwords in fake login pages, and stolen password databases.
> Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets.
If we were talking a >256-bit secret, I'd buy this, but in the human-calculated case I don't see how it actually helps with this, because you've substituted a ~8 character password for a 6 digit number, which is significantly less search space to brute-force.
> Also phishing attacks tricking users into entering their passwords in fake login pages
yes, this is more-or-less a subset of the "keylogger/insecure login page" case
> and stolen password databases
There's still a server-side TOTP secret database to be stolen, no? And normally that would be hard to reverse-engineer the actual secret from, but again, you've shrunk the search space down to 1,000,000 entries, which is trivial to brute force.