I think the distinction is that it's two separate passphrases. It's not a matter of brute forcing an n+6 length passphrase (n being the length of your passphrase), but brute forcing a passphrase of length n, then brute forcing a 6 digit number. Both have to happen within 30 seconds. I'm not sure on the actual math to compare the complexities of these two, though. :] — gRegorLove.com

In reply to: https://kylewm.com/reply/2014/10/17/1/this-explanation-makes-me-think-totp

I think the distinction is that it's two separate passphrases. It's not a matter of brute forcing an n+6 length passphrase (n being the length of your passphrase), but brute forcing a passphrase of length n, then brute forcing a 6 digit number. Both have to happen within 30 seconds. I'm not sure on the actual math to compare the complexities of these two, though. :]

October 17, 2014