They can't get at your money anyway without transaction numbers, but your account can be used in other ways. Depends on the motive of the attacker but the potential to get you into trouble is there.
That's the fallacy, If they know enough rules about your password, they can easily brute force the unknown bits. For example they don't need to know that 'G' is 7 or 8 or 3, they just will try out all 10 numbers.
:fat: Nothing I said isn't known to the script kiddies who do this on a regular basis.
The Royal Gronkanoth Deluxe Meg / et al: If I may... (and, maybe this will explain the name mash-up...)
I believe both of you are on the right track. Humans are not prone to randomness. And security should not overly hinder the purpose for which the security is required.
Having an algorithm for passwords IS a good idea. Especially if it's for the person(s) to remember and utilize, but not prone to 'familiarization' or patterns. (This is true for short AND long passwords, just might be applicable to words more than characters in the case of long passwords.)
And length is becoming paramount. While utilizing extra characters (and differences) is better for security - it might not be better for humans. (NIST last Oct showed it's actually worse - because more people resort to writing them down.) But allowing for longer passwords not only increases security exponentially - it allows more types of 'friendly' algorithms for human use.
https://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/
And, Gronk, while longer passwords of 'words' does increase the risk - the amount is infinitesimal. (See link above) Dictionary attacks work well on short passwords because the number of characters limits the number of words that need to be checked. Since 1,2, and quite a few 3 letter words are excluded from most dictionaries, only 4-8 letter words need be examined. And, at most only 2 words. (btw - we are intentionally leaving out multiple languages...)
If you increase the number of allowable characters, you have increased the number of words using more characters, more combinations of words, AND the possibility of humans now using those 1,2, and 3 letter words! Also, logons do not work like they do in the movies. A dictionary attack has to supply the entire password ALL AT ONCE. Not word by word. AND, almost all login processes now have timeout associated with incorrect attempts. Even with massive bot-net networks - long passwords will take a REALLY long time to crack.
But, the BEST thing anyone can do - is make sure that they don't use passwords repeatedly. Bad guys (mostly large criminal enterprises and nation states these days) and 'good guys' now have access to HUGE databases that have collated all information from 70+ major breaches in the past two decades.
Meaning they use AI to examine all records from one breach and compare it to another. If there is any kind of similar information in them (name, address, phone number, online name, security questions and answer, etc.) - they link them. AND, then ALL of that is used when a new company's data is exfiltrated!
That is why it's not even a good idea to even use the same security questions from different sites. AND, keep in mind, security question answers do not even have to be related to the question! (Think about it...)
Stay tuned next month when we cover rainbow tables, encryption (and cypher suites), and steganography. (Steganography is actually kind of cool/fun... Unless you're like Roland (or me), and REALLY, REALLY like math; then maybe rainbow tables and cypher suites would be a lot of fun.)
QB
