Agreed, it seems rather arbitrary advice. Though complex passwords are good, and mixing normal characters with numbers helps that, I'm starting to strongly believe that for passwords humans need to remember long passwords or even passphrases are the more appropriate answer.
But still, I'd wager that these breaches are rarely due to weak passwords getting brute-forced and more bad password hygiene otherwise (e.g. sharing passwords across sites, falling prey to social engineering/phising or having that happen to the service provider).
I'm sure there are opportunistic attacks on the few most common passwords (or even few hundred) but I'd imagine such attacks to generally get identified & blocked by the service providers. This of course assumes a certain level of competency and scale on their part. :)
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.
Agreed, it seems rather arbitrary advice. Though complex passwords are good, and mixing normal characters with numbers helps that, I'm starting to strongly believe that for passwords humans need to remember long passwords or even passphrases are the more appropriate answer.
But still, I'd wager that these breaches are rarely due to weak passwords getting brute-forced and more bad password hygiene otherwise (e.g. sharing passwords across sites, falling prey to social engineering/phising or having that happen to the service provider).
I'm sure there are opportunistic attacks on the few most common passwords (or even few hundred) but I'd imagine such attacks to generally get identified & blocked by the service providers. This of course assumes a certain level of competency and scale on their part. :)
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.