What you don't know about passwords might hurt you
Posted 27 November 2012 - 05:48 AM
The majority of password problems these days (as you pointed out) are not people breaking down your password via brute methods, but breaking into a company and stealing everyone's passwords.
Oh, no wait. That means my password for linkedin needs to be picked out of the millions (you did say millions) of released passwords. Hmm. A very slim chance there.
Oh and you better use the on-line centralized versions of those password programs (yours does have one don't they?) if you use multiple computers or public computers when you're on a holiday. Assuming you can now remember that super-long simple phrase password that you could be using for everything else. But what happens when dropbox gets hacked? Oops, sorry. Oh and you're still vulnerable with ANY password used if a site like linkedin gets hacked. Theoretically they can't use that password to get into other sites if yo've been using a centralized password program.
Oh but you'd be wrong there too: if they can get personal info from the hacked account, they can now start using it to phone your other companies and use those facts to prove it is you. So all that personal info and data you've been putting in a centralized place out in the web? Oops.
In short, anything on-line is at risk. The actual chance of you getting hacked is tiny tiny (still not nice if it happens). And the likelihood is driven more by your own personal habits (storing personal info on-line) than it is by the security of your passwords.
Posted 27 November 2012 - 05:53 AM
"However, it’s very hard for a human to create a truly random password, but it’s easy for a computer to do."
Both halves of that are false. Strictly speaking, today's computers are incapable of generating "truly random" values. Contrarily, all a human has to do is close their eyes, then poke and mash on the keyboard several times as the mood suits them. In light of that, the claim that, "[a]nd that’s for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength," is obviously false. The strength of a password is entirely about the collection of characters. It doesn't matter how that collection was generated.
One addition: Every copy of Mac OS X installed includes a utility that can generate and securely store (but not auto-enter) passwords. Keychain Access is an eminently reasonable first step.
Posted 27 November 2012 - 06:34 AM
Posted 27 November 2012 - 07:02 AM
It's highly effective for brute force attacks. That said, I would hope most online services would lock out an IP that submits login attempts at an unhuman rate.
Posted 27 November 2012 - 07:36 AM
It seems like an obvious precaution to me, but then why are we talking about brute force attacks?
Posted 27 November 2012 - 07:50 AM
Posted 27 November 2012 - 07:53 AM
Posted 27 November 2012 - 08:06 AM
A lot of places still use some variant of this, Google starts requiring a captcha as well as password after a certain number of failed attempts (and probably escalates beyond that if there continue to be failures). The limit of three has changed as people realize it catches a lot of legitimate users out (which then leads to more tech support calls and costs). A higher limit is pretty much equally effective against brute force attacks so many places use higher limits which people will rarely hit. Likewise, hackers rarely target individuals in this manner and instead go for social engineering or work to attain user information in bulk since it is a lot easer to hack a list of thousands or millions of passwords than just one.