Hacker News new | ask | show | jobs
by tptacek 3359 days ago
Wait, what's the brute-force attack you're contemplating here? I'm thinking of the attack where you've compromised the servers and stolen the verifiers.
1 comments
tprynn 3359 days ago
Looking back at my notes, I think my earlier comment was misleading. The offline brute force was due to an insecure random number generator, which allowed an attack against B to recover b (and from there crack the 8 digit code). So, uh, ... I'm wrong on the internet. I think we've talked about this attack before actually :P
link
tptacek 3359 days ago
Ok, that makes more sense! There are some pretty huge systems that would be very, very broken if the attack you accidentally described was viable. :)

I agree with you that SRP is worth avoiding.

link