Passwords & Security conception and issues

[BCEmporium]

This is in reply to this, but I felt it would disturbing and going off-topic from what was being discussed there:

If you are worried about the security of your google account set up two factor authentication via sms or cellphone app. http://googleonlinesecurity.blogspot.com/2010/09/moving-security-beyond-passwords.html

I believe this is wrong in concept: Unfortunately, we often find that passwords are the weakest link in the security chain. the weakest link isn't the password, but commonly the ways you've to recover it.
For hotmail for an instance, a limited choice of questions, if given the right answer you would probably be easily hacked by someone who knows you. Actually it happened to me, with an ex-girlfriend opening my old mail unknowing the password, but, obviously, my mother's name.
Also these options are weaker to dictionary attacks, "where you born", "the name of your street", "your dog's name", "mother/father name", "car maker"... almost all rounds up to be common names. So, even if your password is aAjjsEW$$$%%@@hsu89y3 or even more complex and your security question is "What's your father name?" -> A: Bob you aren't safer than if the password itself would be Bob

"Two factor" also has a weak spot; what if you lose your cellphone? Or by some reason your operator cancels/changes your number?

[1715379305]

1715379305

[comboy]

"Two factor" also has a weak spot; what if you lose your cellphone? Or by some reason your operator cancels/changes your number?

I'm not using it but I believe "two factor" means you need phone AND your password.

For the case of lost phone you generate some backup codes ahead of time and store them safely.

[BCEmporium]

For the case of lost phone you generate some backup codes ahead of time and store them safely.

It's already a feature on some banks here, and it's a pain! Sometime ago I'd to receive from work but they had changed the mobile operator, so I had to wait a few more days for them to able to do the transfer, taken the online banking wasn't possible without the old, and already deactivated, numbers.
You can't also generates codes ahead in time, the code sent by SMS is only valid for a short period, 1/2 hour or so.

[comboy]

You can't also generates codes ahead in time, the code sent by SMS is only valid for a short period, 1/2 hour or so.

Well I was talking about google, not your bank. As I said these are backup codes that you generate in case of lost phone.

PS. http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056287

[BCEmporium]

You can't also generates codes ahead in time, the code sent by SMS is only valid for a short period, 1/2 hour or so.

Well I was talking about google, not your bank. As I said these are backup codes that you generate in case of lost phone.

For what I know, Google works the same way. You can't generate a code to use, let's say, next month. They're valid for a short time also.

You're right. They though on that one. 

[comboy]

You can't also generates codes ahead in time, the code sent by SMS is only valid for a short period, 1/2 hour or so.

Well I was talking about google, not your bank. As I said these are backup codes that you generate in case of lost phone.

For what I know, Google works the same way. You can't generate a code to use, let's say, next month. They're valid for a short time also.

http://www.google.com/support/accounts/bin/answer.py?answer=1187538

RTFM (that is, Read Their Fantastic Manual)

[BCEmporium]

Sorry man! Took a while to get to it. Google decided to show me a "sorry this page isn't available on your language, try PT-BR instead"... so I'd to enter in the "smart-language carousel" already corrected the post above.