|
|
|
|
|
|
by epriest
2708 days ago
|
|
|
> For online attacks, an attacker can't even try the top 1000 passwords on for an account in any major website in reasonable time without triggering the alarm, as they all(?) have rate limiting (usually in the form of account lockdown after single-digit failed attempts). This is empirically a practical attack: attackers successfully executed a common password brute force attack against GitHub in late 2013 by using a botnet with 40,000 distinct remote addresses: https://github.blog/2013-11-20-weak-passwords-brute-forced/ |
|
|