|
Title: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA Post by: keystroke on December 07, 2015, 06:10:52 AM I took a look at the length of the shared secret, K, provided by the services listed below. They use the time-based OTP algorithm, RFC 6238. The HMAC-based OTP algorithm, RFC 4226, requires a 128 bit key and recommends a 160 bit key. RFC 6238 makes no such recommendation, although Google uses 160 bit and Amazon uses 320 bit for their own services. This is not an immediate practical issue, but these services should increase key lengths and be careful about using defaults.
320 bit Amazon 256 bit BTC-E 160 bit CEX.IO 120 bit Kraken 80 bit Coinbase Bitstamp Bitfinex Poloniex Purse LocalBitcoins OKCoin Title: Re: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA Post by: unamis76 on December 07, 2015, 10:58:40 AM Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit?
Title: Re: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA Post by: keystroke on December 07, 2015, 11:35:09 AM Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit? Depends how much money someone is willing to invest, but that number comes down every year.Title: Re: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA Post by: TastyChillySauce00 on December 07, 2015, 12:00:19 PM exchanger really lack of security nowadays, no wonder some of them being hacked and lost few thousand btc like what happening before
|