OTP tokens usually don't protect you against server database compromise because ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nly on Jan 4, 2014 \| parent \| context \| favorite \| on: How I reverse engineered my bank's security token OTP tokens usually don't protect you against server database compromise because they're completely symmetric. The server has a copy of the seed/key stored in the clear. OTPs really only protect you against key logging

jrockway on Jan 4, 2014 [–]

I mean for the password reuse case. You use the same password for example.com and Gmail. Someone steals the example.com password database. They still can't log into your Gmail account because they don't have your second factor.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact