●Stories
●Firehose
●All
●Popular
●Polls
●Software
●Thought Leadership
Submit
●
Login
●or
●
Sign up
●Topics:
●Devices
●Build
●Entertainment
●Technology
●Open Source
●Science
●YRO
●Follow us:
●RSS
●Facebook
●LinkedIn
●Twitter
●
Youtube
●
Mastodon
●Bluesky
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Forgot your password?
Close
This discussion has been archived.
No new comments can be posted.
Load All Comments
Full
Abbreviated
Hidden
/Sea
Score:
5
4
3
2
1
0
-1
More
Login
Forgot your password?
Close
Close
Log In/Create an Account
●
All
●
Insightful
●
Informative
●
Interesting
●
Funny
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
bywhoever57 ( 658626 ) writes:
Six digits is security theater. The system should have a rate-limiting setup that blocks any logins for a period of time after a number of failures. In this way, a 2FA with perhaps only 10,000 possible codes would be quite adequate.
twitter
facebook
byGuB-42 ( 2483988 ) writes:
On the scale of Google, it matters. Attackers won't try 10000 codes on the same account, they will be kicked out well before that. But they can try 10000 different accounts though a botnet and statistically, one of them will work, then, maybe retry every few hours. It will give the attackers a steady stream of accounts, and statically, every account attacked this way will be hacked after a few years. You can't block logins for too long either because it would make for an easy denial-of-service attack.
6 digi
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Slashdot
●
●
Submit Story
It is much harder to find a job than to keep one.
●FAQ
●Story Archive
●Hall of Fame
●Advertising
●Terms
●Privacy Statement
●About
●Feedback
●Mobile View
●Blog
Do Not Sell or Share My Personal Information
Copyright © 2026 Slashdot Media. All Rights Reserved.
×
Close
Working...
Working...