The New York Times takes a look at other tech vulnerabilities, besides insecure passwords:
Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.
Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location. […]
Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, Calif., makes a similar case. In “When Security Gets in the Way,” an essay published last year, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered. […]
A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as [security researchers Cormac Herley and Dinei Florêncio] note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.” […]
Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn’t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim’s account, “knowing that you won’t succeed, but also knowing that the victim won’t be able to use the account, either.” (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)