Recently, I got an account at Medium to have another place to shamelessly spam my posts. After going through the annoying process of creating another account, I went to go login. This is where their security gets hilarious; At no point does Medium ask you for a password for your account during setup. I thought, “Ok, maybe they email you a temporary password, and you choose a new one after first login.”
Well, I was wrong. Medium chooses to do the less secure half of 2-factor authentication. They don’t require a password, they only require clicking a login link they send by email. If anyone has setup an email server, or cares slightly about security, they know this is bad. Most email goes over the Internet unencrypted due to people and companies not implementing TLS with their email servers. Combine that with many people using public wifi (such as at coffee shops/airports), it would be trivial to login to someone’s Medium account.
Not only that, the generated links are of a semi-low security. Each link is 12 characters, in hexadecimal format. That leaves 16 to the 12th power of possibilities. While a 15 minute window does reduce the ability to brute-force this link(the time medium has set before the link expires), it still doesn’t remove the ease of Man-in-the-Middling this information.
Lesson to learn is, if you are going to do one portion of two-factor authentication, make it enforcing a good password policy.