Hacker News new | ask | show | jobs
by jopsen 2196 days ago
Publishing a salted hash (with if it's memory+time hard hash) is the same as allowing unlimited login attempts.

Limiting login attempts by ip, username, and time is the best way to mitigate attacks.

Even a weak password is hard to crack with 5 attempts per day :)
1 comments
hanche 2196 days ago
Given a salted hash, you can test passwords many orders of magnitude faster than you can do online. As some attackers can control a botnet, limiting attempts by ip has limited value. If you limit by username and time, you open the door to a denial-of-service attack: I could lock you out of your account by simply trying to log in as you repeatedly.

There are few easy answers in security.

link