I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.See your previous comment about off line attach modes.-f0dder (June 04, 2017, 09:37 AM)-MilesAhead (June 05, 2017, 06:57 AM)-f0dder (June 05, 2017, 11:02 AM)
My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure. Also the same thing applies to hijacking the encrypted database. If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking. Especially with cheap computing power. Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.
Then the main worry might be somebody flubbing logins to your account just to get it shut off for a time. Kind of a perverted denial of access. But even then there should be some indication where the attack is coming from.
To me it is similar to these fast food joints where you have to hop skip and jump to their "system" in order to place your order. When everything is owned by four holding companies there is less "competition" and customer service than when Mom and Pop have to worry you will go around saying their service sucks at their one variety store. This seems to be analogous to the online situation these days. You have to include uppercase letters, lower case letters, punctuation and numbers, plus pass gas twice, in order t log on. IOW, it stinks for a reason.