An important point to also emphasize - there are no algorithms for hacking passwords that say “getting warmer!”. Passwords (unless the site is really stupid) are stored as hashes. A good hash algorithm does not indicate a guess is close to correct - one character off and the resulting hash is far off. (Or else the hash algorithm is incorrectly chosen and weak, and there’s plenty of research to avoid this)
So the enemy of dictionary attacks that include variants is the number of conceivable variants and whether there’s an algorithmic way to enumerate them…
Similarly, 2FA is great until you lose your phone or someone SIM-hijacks you. Every process has an upside and a downside. When the hackers get your Twitter password, it’s unlikely they also get control of your phone number.
Whether a greater effort will be made to hack your password depends on your target value. Rachel Maddow recently told the story of a Romanian hacker who broke into a number of assorted accounts for various celebrities - by the simple expedient of reading gossip websites and trying name of pet, mother’s maiden name, and whatever else he could dig up about the celebrities. But if we’re not Paris Hilton, basically as mentioned the hackers will just add us to an algorithmic dictionary attack and move on if that can’t figure out our password.
Worked in IT Security for 20 years and have run many password crackers (legally). A fairly recent study (sorry, I don’t have the source handy) showed that that longer passwords are definitely safer. Something that I always advocated for business systems (to no avail most of the time).
One, because it takes longer to crack, and two, because there are so many ‘short’ passwords, it’s a waste of cpu cycles to attempt to crack the longer ones. In other words, why go after the hard ones when there’s so much low hanging fruit? Unless you are specifically targeted as an individual, using a ‘pass phrase’ is very effective against ID theft. 20 characters are not hard to memorize if you use a memorable phrase. “My shoes are blue velvet 123” - 28 characters, including a capital, spaces, and numbers. This is easy to remember, and even if you only change a few characters for re-use, is still long enough to deter most hackers.
That’s absolutely, definitely, without a doubt, true. The usual advice for improving password security is to increase the kinds of characters used in your password. But a password randomly generated from the set of all possible characters generatable on a standard English keyboard is actually less secure than one randomly generated entirely of digits, but twice as long: The keyboard characters have 95 possibilities (if the password field accepts spaces), while a pair of digits has 100 possibilities.
Usually one of the easier methods of SIM hijacking - that, and actual customer service person being paid to do so… Some such SIM hijacks are so questionable there most likely was bribery involved. very low level people that have this level of access.
But people in the public eye are far easier targets when it comes to knowing the name of their pet or their mother’s maiden name. Plus those pesky security questions like who was your best friend growing up, favorite schoolteacher, where you got married. Public figures tended to share that info with gossip magazines.
But yes, if your password is simple, if it is a dictionary word plus 2 characters, etc. - all the simple stuff mentioned in this thread - then you are at risk. If all your life story is on social media and people can match it with your account names - then you may as well be Paris Hilton. If you click on odd links in emails - you may as well be Paris Hilton.
I’ll just add that when a website asks you a security question, you are under no obligation to give the correct answer to the question. I routinely give fake answers, it only matters that I remember what I gave.
I had a very pleasant childhood growing up on Mockingbird Lane with my dog Lassie and my best friend Dobie Gillis. As far as a hacker is concerned, my mothers maiden name is Bouvier and I went to Chester A. Arthur middle school. My first job was safety inspector for a nuclear power plant, and my first car was a Gremlin…
All you need is a robust fake narrative and you’re safe, at least from that type of attack.
As long as you answer consistently. Was your first job “safety inspector for a nuclear power plant”, or was it “nuclear safety inspector”? At some point, you might as well just record your security answers wherever you record your passwords, and at that point, your first job might as well be “f$Y37hB8]L”
A non-english word accompanying your pass phrase can throw off dictionary attacks. For example ny bank account password includes a “Kaapse-taal” swear word. (Kaapse-taal being a unique dialect of Afrikaans, and one not likely to appear in rainbow tables)
I imagine Hungarian or Choctaw slang words would be similarly memorable (if you speak either) and will be unlikely to appear in the hackers list in his rainbow tables.
I usually C/P the question, generate a 24 character random string and paste that string as the answer and add it to the “notes” field of my password manager.
My mothers maiden name: %043NbM3@IDE6NtajZgWqCZliU
my first pet: D#Xtv9L1nNR7!rW2YLT3v11gq$
I do the same, but I will suggest that you limit the characters to lowercase and numbers only. I’ve had to read these back to customer service agents as part of the identity verification process, and not having to specify uppercase or lowercase, or deal with the names for the special characters is a bit of a timesaver. Cutting and pasting complex strings is easy, speaking them is a bit harder.