IME, most breaches are because data can be queried *from* an information
get user's stored password
compare to what he has typed in
allow access iff they agree
it should always be:
user X claims his password to be Y; is this correct?
i.e., the information system only tells the entity making the
query whether Y is correct for X (at this time). If not, the
querant only knows "it is not Y; one down, NNN left to try!"
Then, you can monitor traffic to decide when someone is trying
to brute force attack with repeated attempts. And, disallow
those attempts (make them more expensive or block them entirely)
Any system that allows an adversary to defeat this monitoring
is ripe for hacking. E.g., XP/Vista passwords can usually be
cracked in minutes -- USING THE CPU POWER OF THE VICTIM'S PC!
Once you have physical access to the PC, you can subvert that
monitoring: don't let it boot it's *normal* OS, but, instead,
boot something that does YOUR bidding using IT'S horsepower!
[This is why security conscious houses disallow USB/CD/DVD/floppy/PXE
boots; it ensures that the machine will ALWAYS be under the control
of the security team operating the machines (uness you physically
break INTO the machine)]
All passwords should be well chosen. A common exploit is to
gain access to one "service" through a poorly chosen password.
Then, use this to leverage some OTHER service with a more
For example, using a crappy password on your email account.
But, your BANK account has that email account listed as the
mechanism by which you can request your BANK password be reset.
Adversary pwns your email account; then uses that to convince
your bank (your bank's computer!) to let you change the
I have particularly long, "random" passwords (i.e., no pet
names, no birthdates, etc. Passwords that are more like
NON VANITY license plates issued by a DMV -- only longer:
"What does LKY3F444 mean?"
"<shrug> No doubt the next one in the pile after LKY3F443!"
(but, this requires you to be able to commit odd sequences to
But then how does my userid and password help him? If I can't find
it on the website, and he can only find by bypassing the website (so
that the password won't do him any good), he can already do that, with
or without my password.
*** ATTENTION: VIRUS ****
The following virus requires your cooperation:
Please forward this to everyone you know, then delete all your personal
data (don't forget backups).
Failure to follow these instructions may have severe consequences.
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.