Hi Todd,Originally Posted by Dan Druff
Sorry for the ninja edit. I have a habit of posting a brief and incomplete post and then editing it quickly, which obviously isn't fair to people who read my half-finished posts. This time I was particularly slow because I'm doing a few things at once. My bad.
"Still, I believe your advice is overkill because most e-mail systems these days have measures in place to prevent brute force password attacks."
There's no way to "prevent a brute force attack" when someone gains access to the server--as happened today on 2p2 and will happen again. (Indeed, there is necessarily always at least one person with access to every server unfortunately.) The brute force that I am talking about is brute forcing hashed passwords. That's not preventable because it's something that a hacker does on his own computer.
There are also ways around those ways to "prevent a brute force attack" that you're talking about. Indeed, a hacker tried to brute force passwords in this way on 2p2 not too long, and I think he got a few accounts in spite of 2p2 using industry practices there.
"I'm still not understanding why you're not just suggesting people to disassociate their 2+2-related e-mail addresses from anything important"
I think that people are much more likely to be willing to use secure passwords than they are to use multiple e-mail addresses (that don't just all forward to a master account). Using multiple e-mail addresses is a huge pain in the ass, whereas using secure passwords is incredibly easy as long as you know what constitutes a secure password.
Reply With Quote