|
|
|
|
|
|
by ses1984
741 days ago
|
|
|
Generally speaking you can divide attacks like these into two types, online and offline. In an offline attack, the attacker has somehow gained access to some encrypted and/or hashed secrets, and they're trying to break the encryption or reverse the hash. There's nothing getting in their way except for time and compute power. In an online attack, there is some system in between the attacker and the target, like an authentication server, that can implement stuff like fail2ban, captchas, rate limiting, etc. |
|
|
I thought guidelines were that passwords should take 500msec to calculate. So, call it 600 msec per submitted password. Many servers will melt before being able to respond to any serious brute forcing attempt.