|
|
|
|
|
|
by hanche
2196 days ago
|
|
|
Given a salted hash, you can test passwords many orders of magnitude faster than you can do online. As some attackers can control a botnet, limiting attempts by ip has limited value. If you limit by username and time, you open the door to a denial-of-service attack: I could lock you out of your account by simply trying to log in as you repeatedly. There are few easy answers in security. |
|
|