said by Kilroy:said by Snowy:Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.
The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack.
If Deloitte is talking about a 90% failure rate for passwords stored in the password file then logically the only way this can have any real world significance would be if 90% of all password files are insecure.
Sure, if their talking about illegally accessed password files with plain text or simple hashing, then yeah, the password is pretty much toast.
That's like the security sites that ask you to drop your defenses so they can show you how insecure you are.
EDIT to add: I have been unable to locate where Deloitte specified their study was about hacked password files.
where are you getting that from?