Right. Brute forcing passwords (ie. checking every single value. aaaaaa, aaaaab, aaaaac) still takes a long time. But the hackers use dictionaries, and tons of arcane rules about how humans typically create passwords.
The biggest threat is that people (generally) don't use unique passwords. They use the same password on every site, or at best, a few passwords on a large number of sites, all identified by at least email address and password.
One compromised site leads to abuse at other sites. Until of course they hit paydirt on a site related to something financial..
AFAIK, the most serious threat to passwords is that they can be monitored when their owners enter them via open Wi-Fi hotspots. In that case, no cryptography is required: unless the owner has his email set up for encrypted connections (the default settings don't do that), his password is transmitted en clair.
Of course, once the password is compromised, it (or trivial variations of it) can be used to gain access to other sites and/or email accounts, *EVEN**IF* those sites use encryption. /That/ is probably the most dangerous scenario: if a user has the same or very similar passwords for "POP"-based email reception or to send outgoing emails, or at a gaming site or online forum that doesn't use SSL encryption, then the attacker can access web-based email sites with it.
In other words, if your Gmail password is the same one you use when sending or receiving emails in Outlook, Thunderbird, Eudora, etc., then a nearby sniffer can get it without any decryption effort or delay. One common attack that is currently in use is to obtian the password of a user, use it to access Gmail or Yahoo mail, lock out that same user by changing it, and then use the user's online address book to send his/her friends and family a sad-luck tale that creates a lot of Western Union transfers very quickly, typically by claiming that the owner was in a foreign country on short notice and has been mugged.
I'm like most travellers in one way: if I'm in a place with open Wi-Fi, I'll take advantage of it to check my mail while waiting for my flight. However, unlike most travellers, I have my email connections set to connect using SSL, and thereby deny nearby sniffers any chance to copy my email addresses or passwords.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.