Slashdot posted a link to this article on the strength of various passwords. Most of it is pretty straightforward, but there's one element of it that puzzles me -- and has puzzled me for many years now.
Based on the experiences I had back in the day, the ONLY number in that article that would actually matter would be the first one, and in fact the first one would be useless after a few fractions of a second. Because most sites won't let you just keep entering your username and password over and over and over -- after three, or five, or some other relatively small number of tries, they lock you out.
That's why having the lists of commonly-used passwords was so important in the old days; you weren't trying to get *MY* password, you were trying to get *ANY* password, and you hoped that you'd hit a good one before the machine locked you out.
If you HAVE my password to play with offline, you don't need to decode it.
So how is it that people can not know my password, not be able to directly try to log into the target machine, and yet still be able to apply teraflops of processing to crack it? Where do they get access to the password -- without actually having access to the password -- so that they can try to break it by brute force?