said by Kilroy:Snowy , you're just not getting it. Did you even read the article?
Yes, I read the article.
I just didn't get that the scope was framed around
90% of user generated passwords would fail if the password file were attacked"If it were I'd think the title would have been
90% of password files are not secure.The article would make even less sense if that's what it's about because at the point of attack the password becomes dependent on the strength of the password file.
If it's stored in plain text then it's not 90% that would fail - it would be 100%.
How or if the password is salted would come into play etc... there's too many variables to come up with a hard number as they did (90%).
Even if it were about passwords stored in a password file that was subjected to an attack:
1. They should have attacked a plain text file to get a 100% failure rate
2. I'm not aware of any US financial institution that lost their password files - though anything is possible.
3. If their point was a stronger password to offset a lost password file advocating a best policy in password file encryption would be more practical than changing the habits of 90% of humankind.