Quote Originally Posted by SIXTYONESIX View Post
Make your password longer than 8 characters and you don't need a token.

ForgetThisPasswordNever
IHateRMTWithAFieryPassion
BillLikesToPickHisNose.

Passwords like that have so much entropy that it would take thousands of years to crack, and they are much easier to remember than a random string of BS letters and digits. Don't get me wrong, a security token is a really good idea, but if you can't get one for some reason, this is the next best step.
That's not how they do it. Lookup Rainbow tables. Many backends don't use a salted password hash, so all they have to do is "for each (rainbowtable) {cat stolenpasswords | grep (passwordhash)}" and they have a list of accounts to hack. No bruteforcing required.