Question about password security
January 9, 2013 10:27 AM Subscribe
With email and website passwords, are successful "brute force" attacks still common, where an automated bot tries thousands and thousands of passwords on the same user account until one works?
posted by pete_22 to Computers & Internet (17 answers total) 14 users marked this as a favorite
It seems to me they should have been pretty well made redundant by the simple and widespread policy of locking an account after x number of false attempts within y time frame, and requiring some backup confirmation method thereafter to unlock it again. If any major sites are not following that policy, why not? If it's frequently being circumvented, then how?
And if in fact these brute force attacks are no longer common or effective, why are we still encouraged (and often required) to have complex passwords? Why do I hear things like "if your password is a word in the dictionary, you may as well not have one"? How can this be true? It seems like the complexity of the password is only a defense against brute force attacks, not phishing or large-scale server side hacks, keystroke loggers, leveraging one compromised account to get to others, and the other methods that now seem more common.
I mean, I realize that "password" is a dumb password, but is a random word like "vermouth" really less secure than "f3GveT8k"? I understand why it's much less secure in a theoretical sense, but in practical terms is it significantly more likely to get hacked?