After the T-Mobile hack, I changed my password and my security code. However, I also use 2FA using one time passwords. How safe is that from a server side hack?
Servers are not supposed to save clear text passwords. Instead, they store a hash of the password. Even the server doesn’t know your password. Give them the password, and they put it through a sophisticated algorithm and see if they get the same hash.
However the seeds for One Time Passwords can’t be hashed. They must be known between the user and the server, so they both can use the same time based algorithm. That means they can’t be easily encrypted.
Does that mean if someone breaks into the server, they can steal the password and the OTP seed?