|
|
|
|
|
|
by 0cf8612b2e1e
741 days ago
|
|
|
Even if they did not explicitly implement rate limiting, an online attack is going to take enormously longer to execute. Querying an online service is going to add say 100msec roundtrip on top of the actual password hashing time. I thought guidelines were that passwords should take 500msec to calculate. So, call it 600 msec per submitted password. Many servers will melt before being able to respond to any serious brute forcing attempt. |
|
|