Well now that you gave me a base line it is time to show you how oh so wrong you are.
Taking you example there are 84 possible chars for each spot (52 letters, 10 numbers, 10 chars above the number and 11 over chars) you have to remember several chars can no be used in a password and in those 84 I was giving some extra. Chances are it would be limited to maybe 73 in most cases which would push the need number to match google even higher than the 12 already.
now there are 26 for each of googles possible 16 spots.
now for your password to be better than a google pass word it requires a min of 12 chars long.
For googles 16 chars there are
43,608,742,899,428,874,059,776 possible passwords That is knowing that it is 16 chars long and all lower case.
Mix that with server time at a max of 100 try per sec brute force it would take on average 6,971,420,173,967.42 YEARS to brute force a Google random password. So even if you had 20 possible random ones that is not going to bring down the number that much at all and really pretty limited effect.
It is simple math.
To figured out the average time it is take that big long number of possible passwords and divided by 2. That gives you the average case for brute force.
So really you might want to do a some math fact checking before try call it insecure.
Reason for the limitation of a 100 trys per second is that is being nice in the max number of server pings Google would allow you to hit it for. Just raw brute force hacking with out that limitation you are still talking years for a brute force hack job as you are maxing out your CPU speeds here.
Really do some basic math checking here.
Either way your secure password at min which is 8 chars long
2,478,758,911,082,496<43,608,742,899,428,874,059,776
Thank you for spreading FUD and getting owned by basic math skills.
Does not negate it. Passwords can and often are stolen. Lets assume someone got a keylogger when you entered it once. They got the password but that password is only semi useful to hack in as you can not brute force it due to the limitation of the Google server side.
Passwords can be stolen. The 2 step is a little harder to do. This is one more step to protect your stuff.
I already showed to you that the google random password beats out your secure one. Using Mac keychain is not exactly valid argument for remembering as you can not log in from elsewhere if need be.
I know how to remember long passwords that hard hard to hack. There are tricks and up to 10 chars it is fairly easy to make it look random to everyone but say you.
