It
is interesting, but as far as I could understand, only really relevant if the site has their password list stolen.
With a stolen file, the hackers can chomp away on it all they want, and make billions of guesses a second. But they can't do that without a list.
To just crack a site that I have a login/PW at, first they need to guess my login. Then they need to guess my PW. So unless the login is obvious, like a public forum that uses your screen name as the login, that adds to the complexity they have to crack. And for most sites, and I would hope all important ones, they lock you out for a time after three bad guesses. So they can't make billions of guesses a second (heck, the site and internet delay wouldn't respond that fast anyhow).
So if a bad guy is randomly attacking a financial site, I'd bet that first they test login names. When they have some that allow you to get through to the password page, they can then start guessing the password (so any site that has two separate screens for login/PW has a weakness - they give the cracker feedback when they guess only a login name, rather than login+PW). Then they hit one account with two guesses, and move on to the next, and come back after the time-out period. That slows them way down. So like the joke about the two hikers and a bear, you don't need to outsmart the hacker, you just need to be more secure than the other guy. Once they've cracked a few easy ones, I'd think the site would alert everyone.
Bottom line, the article seems to be saying it's very hard to have passwords that are good enough if the list gets stolen. So avoid the obvious/easy ones, and by then there should be enough alarm bells going off that the site managers reset everyone's passwords. Seems to me that 'good enough' is good enough.
I've finally cleaned up my password system. For all the sites that I don't really have security concerns about (who cares, and why would someone hack into my account to post to the Chicago Tribune or a hobby forum?), I have a somewhat complex, but easy for me to remember and type pw that I use for all of them. I don't need a list, or a program and it's plenty good enough, IMO.
For sites I
am concerned about, I have a standard set of phrases that I use to 'salt' a unique password. The phrases are somewhat complex, but easy for me to remember - not enough to avoid the hacking in a list like this article, but I think 'good enough' to avoid an outside attack. The beauty is, all I need is a list with a reminder of my logon for the site, and the unique part. I can put that in my wallet, or stick it to my monitor, or keep it in a file. The 'salt' phrases I use are only in my head, and written down in some obscure place with no other info tied to it.
So if I wanted an easy to use, but secure password for this site, the unique part might be erorgFIRE, and I'd 'salt' that with my standard phrases, which might be (but aren't
) mfOSIU1204 IWMinb80 Those phrases have meaning to me, they stand for something easy to recall, and I combine them with the unique part. So all I need on a sheet of paper is:
ERD50 - erorgFIRE
and that is enough trigger for me to know how to put it together, with my 'salting' pattern. Actually, my standard phrases are shorter, some financial sites won't allow that many char, which I should write to them about.
-ERD50
...
