Topic: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA (Read 426 times)
legendary
Activity: 2982
Merit: 1028
Leading Crypto Sports Betting & Casino Platform
December 07, 2015, 08:00:19 AM
exchanger really lack of security nowadays, no wonder some of them being hacked and lost few thousand btc like what happening before
December 07, 2015, 07:35:09 AM
Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit?
Depends how much money someone is willing to invest, but that number comes down every year. December 07, 2015, 06:58:40 AM
Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit?
December 07, 2015, 02:10:52 AM
I took a look at the length of the shared secret, K, provided by the services listed below. They use the time-based OTP algorithm, RFC 6238. The HMAC-based OTP algorithm, RFC 4226, requires a 128 bit key and recommends a 160 bit key. RFC 6238 makes no such recommendation, although Google uses 160 bit and Amazon uses 320 bit for their own services. This is not an immediate practical issue, but these services should increase key lengths and be careful about using defaults.
320 bit
Amazon
256 bit
BTC-E
160 bit
Google
CEX.IO
120 bit
Kraken
80 bit
Coinbase
Bitstamp
Bitfinex
Poloniex
Purse
LocalBitcoins
OKCoin
320 bit
Amazon
256 bit
BTC-E
160 bit
CEX.IO
120 bit
Kraken
80 bit
Coinbase
Bitstamp
Bitfinex
Poloniex
Purse
LocalBitcoins
OKCoin
Jump to: