Hacker News new | ask | show | jobs
by dsl 4327 days ago
> use them as forgotten password hashes

Please don't.

The author tries to trick you into believing it is secure by including a salt. However the resulting key space of the "hash" gives you the same security as a 5-6 character alphanumeric password. A motivated attacker could enumerate all possibilities in a few hours.
1 comments
brey 4327 days ago
You could use that argument to say 4-digit bank card PINs are really bad security - and you'd be right, except that they're always locked out after N attempts.

Why not the same approach here? if you try to brute force a password reset, you lock out further attempts for a few minutes.

link
krallja 4327 days ago
You can then use this lockout for a denial of service attack.
link
brey 4327 days ago
oh no ... I am unable to change my (perfectly secure) password for ten minutes because an attacker is attempting to brute force my password reset. I'd regard that as a feature, not a bug.

you don't need to lock out the entire account.

link