While it’s nothing new, it does revisit good advice that everyone should
follow: avoid passwords that are based on names of people close to you,
don’t think that sticking a digit at the end of your password makes it secure,
What it does do is make the same mistake that lots of “password security”
advice does – which is to assume that an attacker can test millions
of guesses per second. That’s only true if the attacker has access to
the password hashes, which usually means that he’s already got physical
access to your computer or has compromised the security database of an
application you sign into.
That’s a big assumption and I would venture that it’s almost always false.
If an attacker has to test passwords by trying to sign into one of your
accounts using a script, he’s unlikely to get more than about 1 guess
per second and he’s quite likely to trigger a lockout after a few tries.
Moreover, many on-line login systems now use CAPTCHs, so he can’t even
script the attack.
In short: protected and inaccessible password hash databases, slow
interactive login screens, intruder lockout mechanisms and CAPTCHAs
make brute force attacks, even optimized with good dictionaries, pretty
much useless, unless your password is *really* bad.
John also suggests that your bank account is linked to your e-mail
address, so a compromise of your e-mail could also compromise your bank
security. That’s a bit of a stretch, in my mind. I can’t comment about
all banks, but none of the financial institutions that I do business
with even know any of my e-mail addresses.
So here I’m just curious: does your bank use your e-mail address as an
out-of-band authentication factor?