[ejb999]

This article is pointless clickbait - what percent of systems don't have some sort of throttling or lockout after X number of bad guesses - damn few I would say. Even the most basic, low budget systems I have developed or worked on have throttling rules in place - many with exponentially increasing timeouts that would prevent this sort of attack.

If a website/system does not implement even the most basic security practices, then there are probably a lot of easier ways to hack into in than trying 100,000+ different passwords in a row.

[userbinator]

It reminds me of the 4-digit PINs on payment cards --- yes, the "keyspace" is tiny, but you're going to be locked out long before you get close to exhausting it.

[danielparks]

Given the number of services that turned out to use plaintext or trivial password hashing (e.g. MD5), I would bet there are a bunch of services out there that do not effectively limit OTP attempts.

It’s been a long time since I did any work on a real authentication system — since before TOTP was common, anyway. I appreciated the post and found it interesting.

[captn3m0]

MS had a 7 digit code, and some rate limiting, but even that was insufficient: https://thezerohack.com/how-i-might-have-hacked-any-microsof...

(7 digit reset code for forgot password flows)

[rrrrrrrrrrrryan]

If there's a leak of valid usernames or email addresses, for a system that has a few million users, that has a lockout after 10 wrong guesses, then you could gain access to one account for every 10,000 lockouts.

[seba_dos1]

> leak of valid usernames or email addresses

...and passwords, because OTP is the second factor.