My two cents on this. The greatest danger isnt in someone brute forcing your password but simply social engineering a password change.
Example, i personally had a paypal account that was hacked. The reset your password question was "What is your frequent flier number" thinking i was being unique i put 666. Looking back i wonder if the cracker who got in was even slowed down by it. Another example. My mother is elderly doesnt really like computers, refuses to use a debit card prefering to do all of her banking face to face, she sure as heck doesnt use online banking. One month her bank statement didnt arrive in the mail. She called the bank and they told her that she had called in and signed up for internet banking, which was paperless. She had also evidently wired several thousand dollars to various banks in mexico, using her banks easy transfer feature. She had them stop the internet banking and filed a police report. A few days later the bank called her up to finish setting up the internet banking. Evidently the criminal had called the bank and said something along the lines of "Oh i didnt realize that this website banking was the reason for not getting a statement. I really need it, it's such a handy thing." The bank was fully prepared to reenable this criminal. It was only because the call dropped that the bank even bothered to call her back and that was only to finish the setup. For the record this perp has never been caught. My point is that passwords no matter how secure are only as secure as the person answering the phone who is always more than willing to go the extra mile to help! /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
