Password Security

I'll be happy when biometrics truly gets here for passwords. I hate when I forget one and have to request it.

I hope we are 10 years or less away from biometrics.

Hackers rarely use brute force anymore, they have to crack the hashes. The more complicated your password is, the harder that the hash is to crack. But once it is cracked, they only need 1 attempt to login. This is why websites require you to have a password that's hard to crack

It makes it a lot harder for hackers to get your password by using all characters and using one capital letter. This makes it harder for them as there are more choices of what password you are using compared to simply using a single word all in lowercases. This greatly narrows down their options.

Strong passwords can be easy to remember and impossible to crack online.

Like if you used "D0g....................." brute force would never crack it online.

https://www.grc.com/haystack.htm

Even with the password as 'password,' which has the search space of 2.17 x 10^11 it would take roughly 6.91 years at one thousand continuous brute force attempts per second to crack.

This isn't counting dictionary attacks however which often list 'password' as a common phrase.

Adding just one exclaimation point to 'password!' extends the search space to 8.81 x 10^15 and would take roughly 2.80 thousand centuries at a thousand attempts per second to decode

Do you see why passwords should contain special letters?

It would take a very long time for someone to brute force even an average sized password, and they wouldn't do it from a browser connection either. Most run of the mill attacks on sites are done thru vulnerabilities in SQL databases and scripting attacks to get the list of all user accounts and passwords, they attack the site itself instead of going for individual admin accounts to begin with.

The file gets downloaded in its' encrypted form and is relatively easy for an experienced attacker to decode the md5 to reveal the admin name and password for the superuser (administrator)

Once the site is compromised it's pretty much fair game from there, a lot of these sites get backdoored with flash trojans and whatnot, I've even seen web hosting companies get targeted with the attacker having ~root access to ALL of the reseller hosting accounts.
You are never really safe when it comes to online security because attackers are always one step ahead of everyone.

Data will save us all:

In my younger years I used to hack (I can say this because statute of limitations are long gone now), I also worked for an INC 500 company developing security software for Top Level government agencies. During my hacking days, the most common ways to hack an account were:

1. brute force:

a) using dictionary lists (this was before people were required to use capitolization, punctuation or numbers).

b) using generators - I basically built some software that would cycle through all of the combinations of letters and numbers until the correct password was found.

Requiring a user to use a combination of letters, numbers, capitalization, and/or punctuation makes brute force attacks extremely difficult as it presents a mind boggling amount of possible combinations that could take significant resources and time to crack.

2. Trojans/Keyloggers - Get the target to download and run a program with a trojan or keylogger injected in it and it's only a matter of time before you have what you're after. Getting unsuspecting targets to execute infected executables is actually easier than one would think (See also Social Hacking below).

3. Network Hacking - Hacking into someone's network really isn't all that difficult, I won't get into the specifics, but, it's another way for a hacker to get sensitive info such as account information.

4. Social Hacking - It's amazing how little is known about this tactic that is so widely used by hackers. A productive hacker is often times a good con man/woman, who can trick people into giving them bits of information that will help the hacker determine information they need to gain access or they can trick a person into trusting them and running infected files or unknowingly install backdoors.

5. Hack a less secure site - Most users use the same login credentials on multiple websites, a hacker could simply hack a different website that has a much weaker security system in place and obtain the user's credentials and use them on the website with stronger security

6. Server & Software vulnerabilities - As I mentioned before, I worked on security software for high level government agencies. The company I worked for had placed a backdoor in the software so that if needed, we could log in and tweak the settings or diagnose problems remotely. The problem is, the password used was a simple dictionary password that could easily be thought up and there were no other methods for authentication. Meaning, some kid could remotely access the software that protected the highest levels of our government's agencies undetected and control "things". I want to note that I objected to this to those in charge but they didn't seem to care and I was barred by an NDA from telling the government about this. None the less, this type of thing is far too common and there are other weaknesses that can be and are used to exploit servers, etc.

These are just a few ways for passwords to be obtained by the hacker and while I see your logic, the system you are proposing does not account for many of these methods and several other tactics that a hacker can use to obtain passwords. I want to make it very clear that hacking was something I did when I was young, I have long ago renounced that part of my life, so reader's, please don't judge or condemn me.

I think, on current technical level, each of us should check each new password for strength Safe Password Generator - Strong secure password generator online