Re: Password variation scheme a plus in security?

[Alexander Klimov <alserkli () inbox ru>]

On Mon, 30 Jun 2008, Stefan Schmidt wrote:
> My idea is that the hackers have like 100.000 passwords and from
> these maybe 90.000 give them immediate login success at other sites,
> so they might just ignore the 10.000 that don't immediately work. Or
> is it rather standard procedure in hacking attacks to try variations
> of the acquired passwords?

Let us put it differently: is it a standard practice to grab
a list of user/password pairs from one site and try to apply
them to some different site? To answer the question you should
think about motives of the attacker: what can they gain from few
hundreds logins on, say, /. or any other popular site? Probably
link spam, but the result is small and short-living and thus it
reasonable to guess that it is not "a standard practice".

On the other hand, the effect can be much more profound if an
attacker can access your Internet mail and all your messages
including messages from your bank. Since your email address is
usually stored on the cracked site together with your login
credentials it is reasonable to guess that an attacker will
apply some small guessing to access your email.

The practical summary: use different hard-to-guess passwords to
access resources that may have value for an attacker and
"password1" in all other cases (actually "qwer1234" is even
faster to type :-).

-- 
Regards,
ASK