Re: Bank Of Montreal Online Security

[Alexander Meesters <a.meesters () sansyl com>]

i dont think brute-force is the issue here, most likely a attack on such a system would be by sql-injection, once they 
have the credentials its easy enough to utilize rainbow tables in order to get a useable password. 

although its unlikely a bank would use a unsave hashing algorithm like md5 or sha1, the rainbow tables available today 
for those algorithms are up to 12 characters in length. 

IMHO they, and for that matter, everybody are far better off using pass-phrases, for example:"i do not like waffles", 
or "my 2 grand kids are awesome!" 
its both easy memorable and though to crack, and far exceeds any available rainbow table out there! 

just my 2 cents, 

Alex 

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------