Hacker News new | ask | show | jobs
by nbpoole 5615 days ago
"I don't think checking every hash within one of the password is going to cost much, worst case your checking less than 1,000 passwords."

If that's the case, you're doing it wrong (it being password hashing). Because if you can hash 1000 passwords fairly quickly, that's the lower bound of what a dedicated attacker can do. ;)
1 comments
mgkimsal 5615 days ago
If Amazon is letting someone attempt 1000 failed login attempts, even over several hours or a day, they're doing something wrong.
link
nbpoole 5615 days ago
You also have to consider the possibility of an offline attack (ie: if Amazon's database were compromised and password hashes were leaked).
link