|
|
|
|
|
|
by throwawayReply
3583 days ago
|
|
|
With a weak password, step 2 is redundant, even with more than the recommended rounds of bcrypt/scrypt, if your password is "123456" it's getting cracked. verify(candidate, storedEntry) has to run in a time reasonable for a web service to handle, which means that 123456 is still going to get tried against all the accounts in a reasonable time. |
|
|