Apologies for taking so long to respond to your excellent post ; it obviously took some time and effort and deserved better. (I'm amazed that nobody else has responded in the interim.)

Looking back on this thread and thinking back on similar ones, I'm struck by the fact that considerable time has been devoted to in-depth discussion of defenses, i.e. strength of passwords, while virtually none has been spent discussing threats, i.e. hackers, who, heretofore, have been no more than nebulous bogeymen...real, but nonetheless vague, threats.

So thanks for both explaining what hackers actually do and giving me some insight into what the strength of my passwords actually means in real-world terms...kinda, sorta, more or less, anyhow. tongue

> It is sometimes possible to study a hashing algorithm and be able to create a collision--a string that hashes the same way that the password you're trying to crack hashes--so as to engineer a break of the account by using a collision. This is how the Flame malware writers were able to send out their malware disguised as official Microsoft system updates; they created a collision of the hash that Microsoft used when Microsoft created their security certificate that they use to sign their real system updates.

But how did the Flame writers know what the algorithm and Microsoft's hash were?

> "Aha! I just figured out 176,543,810 of the passwords in this list of five million accounts I stole!"

Remarkable! You're in the wrong business. grin

Thanks, again. smile

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire