not sure what are all those dismissive comments are about. the news here is that it become exceptionally EASY to brute-force an 8 character password. 8char passwords did provide the security for a while, but it seems they don't anymore. Equipment built from off the shelf components (and not too many of them) can break such passwords today. I'm sure it will soon be used not just by NSA but by almost anyone, including some 'recovery' businesses.
This is idiocy. There is no system in existence that I know of where you will be allowed to sit and try millions of passwords.
About the only place I can think of is encrypted partitions, when you somehow obtained the physical drive. But that usually has other, additional security mechanisms in place.
After failure number 5 most systems just lock the account. All the requirements on password complexity are sheer idiocy.
> After failure number 5 most systems just lock the account.
Which gives us a nice method of blocking someone from their account just by intentionally logging in with a wrong password 5 times.
Much better method is to require user to solve CAPTCHA (or, maybe, "hashcash"-type test, to perform some time-consuming computation) after 2nd wrong guess per hour.
> All the requirements on password complexity are sheer idiocy.
Not exactly all. Sane minimal requirements like "you password can't be your name or birth date (or both of them combined)" are perfectly fine. It's very sad how many people use their birth year (yeah, just 4 digits!) as a password. And this is not because they don't care about their accounts (they do), it's just because they just don't get how insecure it is.
Just don't overdo it with real idiocy like "your password must contain at least one digit". Hey, my password generator gave me "CEvbnofFqDKNdRsW", and this IS really secure enough.
A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list.
PasswordSafe is a software program (created by Bruce Schneir) that stores your passwords on your own computer. It is not a website for storing passwords.