If the password is stored properly (hashed and salted), then a high entropy PW will make it nearly impossible for your PW to be extracted from a database dump / data leak
On the other end, if the PW is stored as plain-text, a high entropy PW is useless.
In between, a weak hash algorithm or no salt, a high entropy PW still makes it much harder to extract, but it depends
In general, 2FA is more secure, since it combines 2 different methods of authentication.
something you know: password
something you have: the 2FA token (usually on a phone)
This protects the service (as well as the user) against a broader range of attacks. Such as
password reuse (which nearly everyone does)
this is particularly bad, because you’re increasing the chance that a weakly designed system will have it’s data stolen, your reused PW and username included
phising attempts
somewhat
low entropy passwords
replay attacks
since 2FA tokens are usually time bases (TOTP), they expire after a few minutes and can’t be reused if an attacker manages to intercept one
“You don’t need 2FA, just make sure to pick a good password.”
is this real? genuinely? I also thought if my pw was rsndomly genetated with high entropy, I’d be safe…
Yes, and no.
If the password is stored properly (hashed and salted), then a high entropy PW will make it nearly impossible for your PW to be extracted from a database dump / data leak
On the other end, if the PW is stored as plain-text, a high entropy PW is useless.
In between, a weak hash algorithm or no salt, a high entropy PW still makes it much harder to extract, but it depends
In general, 2FA is more secure, since it combines 2 different methods of authentication.
This protects the service (as well as the user) against a broader range of attacks. Such as
Among others