Originally Posted by
Bonehead
If someone has a list of passwords and PINs, what's the difference?
Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.
They don't have a list of passwords and pins. That would assume that passwords and pins are stored in plain text in database tables which is not the standard.
They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline.
It's like someone wants to make a copy of your house key.
If they walk up to your front door and start trying different keys, they'll get caught quickly.
Instead they get a copy of what your lock is like. They can then try every combo of key until one opens the lock.
Then when they come up to the front door they don't attract attention or get locked out.
That's basic password cracking (multiply this out by millions of users). The length and complexity of that password determines how difficult it is to brute force it.
A four digit numeric password (the pin) can be bruteforced in seconds.