Quote:
Originally Posted by
Firefly7475 
Let's say in my "Jill's Bolt Emporium" example that Jill's son decided to store user details in an encrypted form using their password as the key.
Mr Hacker could still pull back the entire list of usernames and password but he would need to then need to have some kind of brute force utility to individually decrypt each users details.
This is where brute force attacks and longer password comes into play, not directly attacking a website.
Oops, and I thought I was clever with passwords! Thanks Firefly, I actually have a method to beat prying eyes, and I think also covers hackers:
I have different passwords for all my accounts. The passwords are names of people I know and to trim and obfuscate them (the passwords, not the people ) I remove vowels and replace specific letters with numbers. I store accounts and passwords in Simplenote, so they are easily available to me anytime (Simplenote's password is the only one I have to learn).
But I don't store the passwords per se. I store a mental association to the name. Like nicknames, but also names I assign to people that, in my own mind, look like some of the X-Men. Yes, I have fun with that: I loved the Darkchilde, and fought Magneto!!
A hacker can't break my iTunes account using passwords of my other accounts. And he can not use the mnemonics on my Simplenote account. Sure, sometimes I have to use Simplenote to break into my own passwords... but since they are basically known names, the ones I use most are easily remenbered.
Concerning brute force, since I believe every try has to be a communication to the server, try-limits is a reasonable solution.
