Here is what I can safely assume about google account security:
[ul]
[li] all passwords are hashed and salted[/li][li] servers are ultra-hardened with sophisticated IDS systems (so it’s unlikely the db could ever be accessed in the first place)[/li][li] attempts to brute-force vertically or horizontally would likely be noticed and shut down very rapidly (after a handful of attempts)[/li][/ul]
Given the above, why does it matter if I have a simple 6 character dictionary-based password versus a complex 15 character alphanumeric phrase?
I feel it is highly unlikely either one could be compromised by attacks on google.
I don’t see how Google could reliably detect horizontal brute forcing. Many of the attacks are distributed through many thousands of compromised computers. Even if each compromised computer only tried the single password “password”, an attacker would net hundreds of accounts (assuming no strong password enforcement). In reality, each computer could probably get away with many tens of probes before getting shut down by Google.
So aren’t you saying that, at worst, my password would be subjected to a couple dozen guesses before a CAPTCHA and other protections are put in place? Aren’t the odds then still astronomically low that my 6 character dictionary-based word would be guessed?
Depends on the dictionary, and your creativity. For instance:
From their list, trying the top 10 passwords will catch 2% of the users. Individually that’s somewhat low (though not insignificant), but tens or hundreds of thousands of attempts will yield hundreds or thousands of broken accounts.
You’re probably safe with some really uncommon word. Most people don’t use uncommon words (or unguessable strings).
1 year ago we had to have some damned 1 symbol, 1 number, 1 cap letter and 8 characters, absolutely no recognizable words [no dictionary words or however they phrased it] now I need 4 random words or some damned sentence and no previously used passwords allowed. WTfuckingH?! And, no 2 damned websites have the same requirements.
What the fuck is it going to be soon, 8 random characters as originally, then 3 pictures, then 4 random words and a nonsense sentence of at least 8 words and a thumbprint reader and a retina scan?
It matters because encryption and IDS do not block the same sort of attack as password complexity. It’s like asking why you need to lock your front door when you’ve got bars on your windows.
That said, you don’t necessarily need an unbreakable password for all systems. If someone gained access to your SDMB account it might be embarrassing or inconvenient, but it’s not a catastrophe like having someone get into your email account and use it to reset every other password.
I wonder if spammers use SMTP when trying to gain access to an account. There are bots that can read CAPTCHAs anyway, but SMTP might be a way around them entirely. It might also be faster than making web requests.
My gmail account was hacked into recently and a bot sent spam emails to all my contacts. I had a password that mixed words and numbers to make it easier to remember. I now use a password that has no words at all.
So it pays to use a more secure password that mixes letters and numbers but doesn’t actually spell anything.
Gmail offers cellphone verification for uncleared log-ins. I like it a lot. My computer and phone just ask for my password if I’m not already logged in, but a log-in attempt from somewhere else also requires a verification code that gets texted to my phone. I can get away with a secure password that’s still easy to remember (four regular words plus a number combination that makes sense to me), and coupled with the cellphone message, it’s exceptionally unlikely my email account will ever get hacked.
My bank account and credit cards each have a separate secure password (and the reset email gets sent back to my secure gmail account), and everything else shares one of three crappy passwords that are easy to remember, because honestly in the greater scheme of things who cares if my SDMB account is compromised? I figure I’m far more likely to get “hacked” by someone when a company accidentally releases / doesn’t encrypt / inadvertently publishes to the web a string of passwords including mine, so it’s not worth getting too crazy with my password for cheap websites like proboards or what have you.
My play stuff [SDMB, Customers Suck and various forums all have the same login and password. I really don’t care if someone posts a paeon to Sheep Sex. I am much more careful about my credit union, MMORPGs and anywhere I use really personal information or financial information.]
It’s possible that a hacker could gain access to the account database which would give them your password hash, salt, and account name.
From there they could try to brute force your password without any limitations on attempts per second. Video cards are very good at doing this. A single modern video card can do upwards of 5 billion hashes/sec (md5) and 1 billion hashes/sec (sha1).
A 6 character password would be cracked in a matter of seconds.
A site could harden their hashes by running the hash many times before generating the final result. For instance if you generated the hash by running it 1,000,000 times in a row, it would take that much longer for a brute force attack to succeed. This is a really really good idea but one that’s too often overlooked.
This is also why you shouldn’t reuse passwords where you stand to lose something. Sites simply can’t be trusted to store them securely, and once a password/account is cracked it’s very easy to try using that same info at many other sites.
Basically the answer is: the strength of your password is something that you control. Everything else is out of your control. You can trust Google to do their best, but the bad guys are clever and motivated. And Google’s systems are complex and strewn across many services. It only takes one service with a flawed IDS to allow unthrottled login attempts.
I would think a short simple password would be more indicative of lax security practices. Yeah maybe your Google password is “internet” and maybe hackers wouldn’t be able to brute force it. But the sort of user that would use “internet” as a password also probably used that password when they ordered 3 jars of jelly from Sallys Jelly in Nashua NH. Sallys Jelly gets hacked, the hackers see you have a @gmail.com e-mail address, so they try to log into Google with your “internet” password.
Here’s a very simple way to create very strong, non-dictionary word passwords. Just think of a favorite song lyric and use the first letter of each word.
For instance:
[ul][li]There’s a lady who’s sure all that glitters is gold = talwsatgig[/li][li]Life is very short and there’s no time for fussing and fighting = livsatntffaf[/li][li]Like a virgin touched for the very first time = lavtftvft[/li][/ul]If necessary capitalize the first letter and add 1 (or 01) to the end. And obviously don’t use a super famous lyric. Amazingly easy to say in your head and type out with your fingers!
It’s not just a matter of ease/probability. Get into my e-mail, for instance, and you can get into anything else for which that is the listed e-mail address; in a way, my e-mail password is all my other passwords.
The most common way for hackers to get into your email account is to hack some other site where you specified your email address. Say you buy something from kittinguniverse.com. You create an account and specify a password. You also gave them your email address. If a hacker steals the user database from kittinguniverse, they have a bunch of email addresses and passwords. Most people use the same password everywhere, so the hackers try the kittinguniverse password on the email website. If they are the same, the hackers are in. They may try the same email/pw combinations on websites which use email as a login (amazon, facebook, etc).
To foil this, the email account should have a unique password used no where else. Any sites which use email as a login should also have a unique pw. Any financial institution should have a unique pw. You want any important account to have a unique pw.