Hacker News new | ask | show | jobs
by wizardishungry 5063 days ago
If the number of salts used in the system is equal to the number of users, this could be expensive.
2 comments
jarito 5063 days ago
They will just check your password against a list of 'bad' passwords when you log in. No need to brute force the stored hash.
link
wizardishungry 5063 days ago
A little bit of googling makes it seem like auth tokens are not sent it plaintext over HTTPS but are authenticated using challenge response – http://forums.dropbox.com/topic.php?id=47952 The WWW site may differ.
link
wizardishungry 5063 days ago
Obviously that would work, but not if you're using Challenge-response authentication. In general, I don't think people bother with now that when using https.
link
tedunangst 5063 days ago
Assuming they use straight up salted sha256, my five year old core2 laptop does at least 10,000 per second, per core. They could check every user for the top 10k passwords for a few hundred bucks of EC2 time.
link
xentronium 5063 days ago
Why do you assume that?
link