General Discussion
In reply to the discussion: Kill the Password: Why a String of Characters Can’t Protect Us Anymore [View all]wtmusic
(39,166 posts)As UnrepentantLiberal notes, there are programs that can guess, in theory, millions in a few seconds.
In practice, it's much longer. Passwords are nowadays stored on a server in one-way encrypted form (hash). When you enter your password, the server uses the same encryption algorithm on your entry and compares it to the encrypted form on the server. There is no way to decode it, which is why you can't retrieve your passwords any more - they need to be reset.
Any secure website will disable an account after x number of tries (usually under ten), and a round trip HTTP authentication takes at least a second. So you might be able to guess ten passwords in ten seconds, but then you would have to re-enable the account. Practically speaking, a five-character pseudo-random password with upper/lower alpha and numerals is sufficient protection against brute force attacks for anything except your investment/banking accounts.
By a factor of thousands (millions?) the biggest risk you face is by not keeping your password secret.
The next biggest risk is by using a simple password. I always discounted the ability of hackers to guess simple passwords until I had a client's website hacked through (what we found out later to be) a guess. His password? "Butthead".