³ Unasked / issues / ideas #
-
show a real cracking demo (theory-only)
-
explain why 12 random chars ≫ 8 “complex” ones
-
what does Hashcat or an attacker w/ password hashes
-
how does an attacker w/ my files i encrypted w/
encfs
² Good PW matter #
⚝ Millions of password attempts never hit an app.
➽ They hit a file on attacker’s machine.
That’s why:
. password length matters more than complexity
. unique passwords matter
. password managers work
. MFA saves accounts even if password is cracked
² "False MFA" or "single-device MFA" #
³ Phone + SMS fail spirit of MFA #
✔ Technically two factors
❌ But one physical object
❌ But one point of failure
³ MFA works when factors are truly independent #
Bad MFA:
. password + SMS on same phone
. password + email OTP (same device)
. app + SMS on same phone
Good MFA:
. password + hardware token
. password + authenticator app on a different device
. password + FIDO2 / passkey
. password + push approval that requires biometric unlock
³ Best: Passkeys / hardware-backed MFA (if supported) #
Examples:
. YubiKey
. FIDO2 security key
. Passkeys stored in Secure Enclave / TPM
Why this works:
. phishing-resistant
. device-bound
. useless if phone is stolen without biometric/PIN
. no codes to intercept
³ Very good: Authenticator app (not SMS) #
Use:
. Google Authenticator
. Aegis
. Microsoft Authenticator
. Authy (with care)
Best practice:
. authenticator app locked with separate PIN/biometric
. phone auto-lock after short time
. SIM PIN enabled
Even if phone is stolen:
. attacker still needs:
. device unlock
. app unlock
. account password
³ ⚠️ Acceptable (but not ideal): SMS MFA #
Use only if:
. no other option exists
If forced to use SMS:
. Enable SIM PIN
. Disable SMS previews on lock screen
. Use strong device lock
. Enable account alerts
. Ask bank for transaction confirmation on separate channel
³ What you should do (practical checklist) #
For banking specifically:
✔ Strong device lock (PIN ≥ 6 digits or alphanumeric)
✔ Phone auto-lock ≤ 30 sec
✔ SIM PIN enabled
✔ App lock enabled (separate from phone)
✔ Prefer authenticator or hardware token over SMS
✔ Transaction confirmation step
✔ Daily transfer limits
If your bank only offers SMS MFA:
→ complain. Seriously. Banks respond to customer pressure.
³ Final truth (no marketing BS) #
. MFA is not “secure” by default.
. MFA is only secure when factors don’t fall together.
.
² Excursus: Bash: Remove tab and next line #
This text
is copied from chatgpt.com
and unordered lists are bad
formatted when inserted in eg geany
³ ➽ Best solution #
. Lines starting w/ whitespace must start w/ '. ' instead
. Empty lines (or those containing only whitespace) are removed.
1sed '/^[[:space:]]*$/d; s/^[[:space:]]\+/. /'
2
3#=> /^[[:space:]]*$/d # delete empty or all-whitespace lines
4#=> s/^[[:space:]]\+/. / # replace **one or more leading whitespace characters** with '. '
First idea / first step to solution #
1 sed -n '/^ /{s/^ //;p;N;d;}; p'
Purpose:
- For lines starting with 4 spaces, remove those 4 spaces from that line, print that modified line, then delete that line and immediately following line.
- For all other lines, simply print them as they are.
Breakdown:
-
sed -n '...'-nflag tells sed not to print anything by default.
You will manually control when lines are printed using p command. -
/^ /{ ... }This is a condition that matches lines that start with 4 spaces(^ ).
Commands inside{ ... }run only on matching lines. -
s/^ //On matching line — substitute (remove) 4 leading spaces from start. -
pPrint modified current line (with those 4 spaces removed). -
NAppend next line of input into pattern space. Now pattern space contains current line + next line. -
dDelete pattern space and immediately start next cycle; nothing is printed, so both current and next line are discarded from output. -
; p(outside block) For all lines, including those that did not match/^ /condition, print them as -is (because of-n, lines aren't automatically printed, so this prints non-matching lines).
