After seeing a number of threads pop up with concern regarding certain institutions using case-insensitive passwords, I think most people responding are missing the practical take-away. There are broader security practices - using unique passwords, using 2-factor authentication when available, using a password manager, using "fake" information on password reset questions, using completely randomized passwords - that are going to benefit you far more than introducing capitalization into your password.
All of that discussion is based on the assumption that hackers are trying to brute-force (aka, guessing every possible character combination) their way into a system. Simply put, they're not. Not even close. Why?
The only practical way to run a brute force attack is to have a local copy of the user database on the hacker's machine - meaning the bank on the whole has been hacked and compromised. If that's the case, there's much bigger problems at hand and you're probably not going to be held liable for anything. You can't run a brute force attack through an online portal, as most banks shut you out after a number of failed login attempts.
A hacker is only going to go after your bank accounts if he's gotten the password from somewhere else - so how does that happen? Because you used that password somewhere else.
Banks might not have their user databases hacked often, or at all, but many sites online that we frequent and have accounts with do. Yahoo has been hacked several times at this point in the past year, if you need a reference. When that happens, a hacker will brute force the (hopefully, but not always) encrypted database in an attempt to get a list of usernames, passwords, and other personal information you probably don't realize you're giving up. With that information in hand, they can start trying to get into your email or other accounts. It doesn't matter how long or "complex" your password is at that point.
As an aside, brute force attacks are also rarely carried out as theorized - the use of password dictionaries and permutations thereof means the majority - 60-90% of a database - can be hacked easily even when long and complex passwords are used. The 10-40% that aren't are typically those that are randomly generated and sufficiently long.
Then there's social engineering, which is it's own beast.
If you're worried about capitalization in your passwords, then you're worried about the wrong thing. I highly suggest looking into password managers, such as LastPass, which make the suggested practice of using long, completely random, unique passwords extremely easy. Many of those tools also allow you to securely store notes about sites - such as the fake or completely unrelated answers you used in the password reset questions. All of the hassle gets reduced to remembering a single, strong password.
EDIT: Formatting
Submitted April 21, 2017 at 04:59PM by Einbrecher http://ift.tt/2p0p4ZL
