Comment Re: There we go again (Score 1) 383
If they do, there are botnets that help you try lots in a short period of time.
After the first 5 failed logins you don't allow ANY logins for the cooldown period so having a botnet does't really help you. Also, it would be trivially to detect that someone is hopping from IP to IP to try to login to the same account as this would not be something a normal user would ever do. At that point you simply lock the account entirely, ban any of the IPs that continue to try to login to the account and then work from there.
Most attacks involve dumping the password hash database.
Which is a different scenario than what I was referring to. In that case you better hope you detected the attack or else you are basically fucked.
And even brute forcing is getting easier. If you need a SPECIFIC password, it's not any easier, but if you have a bunch of hashes and you want a good chunk of accounts (without caring if you have every account), it's actually easy. In fact, Ars Technica covers a domain-specific brute forcer [arstechnica.com].that relies on terminology from the sites cracked to get a list of potential passwords EXTREMELY quickly. Follow this with trivial modifications to get more. If you have a list of a million passwords, you could easily derive half of them this way, and then move on to the next list.
Brute forcing is getting easier. That is why you simply make your site an unattractive one to attack by making it so they can only do a very small amount of attempts before hitting a cooldown and then an eventual total account lock. Sure, this can be an annoyance to a user, but it's much better than their account being breached. But again, if the attacker already has a password hash list from already cracking your system, they have a much easier go at you especially if they can find out you didn't salt the hashes (or you used a weak PRNG for the salting, etc.) or do any other proper procedures.