> If rate limiting login attempts was all it took to protect passwords, then... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		the_mitsuhiko on June 10, 2012 \| parent \| context \| favorite \| on: It's Dangerous, a Python cryptographic signing mod... > If rate limiting login attempts was all it took to protect passwords, then it wouldn't matter what hashing function you used, since the rate limiting would be independent of that. It does not matter what hashing function you use for the login. It matters in case your database leaks. > The use cases you described (session keys, activation links) are the perfect example of such environments. They are not. Because you don't want to reverse engineer the contents of the message (the message is there in plain text). That's the reverse of what you want to do with passwords. In case of the password you want to brute force what the password is, in case of a signed message you want to forge a signature.

JshWright on June 10, 2012 [–]

>It does not matter what hashing function you use for the login. It matters in case your database leaks.

That was my point... I suppose I'm not sure I understood why you brought up login entry point rate limiting?

amalcon on June 10, 2012 | [–]

Rate limiting makes it harder for people to DOS you using the password hash on your login form.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact