said by Snowy:
Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.
The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack. By the time they are using your user name and password they already know what they are and the lock out policy won't be of any use.
The same issue applies to the suggestion from DarkSithPro
. The password entry isn't the weakness. It is the loss of the password file. Having twenty levels of password checks does nothing if the one in charge of securing the data is the one who lost your user information in the first place.
The weakness comes from the off line attacks that are being run against the password files, provided the entity storing the data bothered to hash them.
, okay you use long pass phrases, do you have a different one for EVERY
password? Probably not. So, once I have one of your pass phrases I can access other accounts that you have used the same pass phrase. Additionally if you used the same user name, if you had any choice and e-mail address isn't it, I already have all I need to be you.
A password generator is the only way to ensure that you have minimum exposure. I use LastPass
with an Yubikey
for two factor authentication to my passwords. The problem comes in when the places that want a password limit the length. Fidelity
is a personal favorite with that issue. I don't remember what their length limit is, but I do know it is less than 15 characters. Thanks for holding my money and not taking much effort to keep it secure.--
Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something. ¯ Robert A. Heinlein