After the first 5 failed logins you don't allow ANY logins for the cooldown period so having a botnet does't really help you. Also, it would be trivially to detect that someone is hopping from IP to IP to try to login to the same account as this would not be something a normal user would ever do. At that point you simply lock the account entirely, ban any of the IPs that continue to try to login to the account and then work from there.

Which is a different scenario than what I was referring to. In that case you better hope you detected the attack or else you are basically fucked.

Brute forcing is getting easier. That is why you simply make your site an unattractive one to attack by making it so they can only do a very small amount of attempts before hitting a cooldown and then an eventual total account lock. Sure, this can be an annoyance to a user, but it's much better than their account being breached. But again, if the attacker already has a password hash list from already cracking your system, they have a much easier go at you especially if they can find out you didn't salt the hashes (or you used a weak PRNG for the salting, etc.) or do any other proper procedures.

A very valid concern and as I address in another post it is not a perfect solution. There is no way to prevent users from reusing passwords across sites nor will there ever be foolproof way to spot every intrusion. But then again, no security procedure is perfect and anyone stating otherwise is selling you snake oil.

And as I've had to state over and over again (and this isn't meant against you wagnerrp), my statement about rate limiting, etc. was in the context of a post that did not mention an attacker already having compromised the system and having a DB dump with all the password hashes. That is a completely distinct scenario than the one I referred to and obviously would require other mitigations.

Thank you! Someone that actually took the time to figure out the context of my statements.

Nope, because I never claimed that. You misunderstood my point and started falsely assuming things.

Of course it is predicated on knowing you've been attacked. I was pretty sure that would be quite obvious. Of course, if you've been attacked and have no knowledge of it that these security measures won't prevent an attacker from being able to attack you again after offline brute forcing a password.

And I never said it had anything to do with that scenario. You've basically have been twisting my words into something I never stated or implied and then have applied them to scenarios outside of what I originally responded to. At this point I'm simply just going to ignore you.

Yes, they aren't. But all these scenarios are orthogonal to what I was responding to originally which is someone talking about using a dictionary attack to brute force password.

As I originally responded to AC-x, if the attacker already has the hash and can then brute force it, of course what I mentioned doesn't stop them, but that scenario is no different than knowing their phone's PIN and being able to side step any of the very same protections I mentioned that phone OSes use which is to use a lock-out after a certain number of failed attempts.

And before the grammar nazis come out, yes I accidentally typed you're instead of your. Let me go commit seppuku now.

Except what you are talking about was not what I was originally responding to. You basically injected yourself into the conversation and completely changed the context and then started calling me an idiot. I suggest you re-read what I originally responded to:

Do you notice that nowhere in that quoted statement is there anything about the attacker already having the password hash?

My irony meter exploded.

Duh. Being Captain Obvious again?

Yes, they have.

Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone.

Only if you're system admins are dumb enough to not do what I state above.

Only if the passwords haven't been salted properly. Even then, a rainbow tables attack can also be thwarted by the same techniques I mentioned above. Allowing any attacker the ability to do 10s of millions if not a couple of billion (with powerful enough hardware) tries a second to brute force a password is just the height of idiocy. Using constant time password checking, rate limiting, cooldown periods and as a last resort IP bans makes you such an unattractive target that they usually just move on to some other insecure site.

Forgot to close my quote tag so fixing it.

Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary.

Nope, you're just a poor mind reader.

And to further add, combined with timing attacks and any other potential weaknesses the key space of that 50 character password can be dramatically reduced.

To add above, just because the brute forcing theoretically might take a long time is no reason to allow someone to have unlimited tries. You never know when exactly their brute forcing will stumble upon the password. The user's password could potentially be within the first billion or so tries which means they could potentially brute force it in the first second with powerful enough hardware.

Based on what do you falsely assume that?

It's better than allowing someone to brute force account passwords. When combined with IP banning when seen that someone is just trying to attack the system your DOS attack would be short-lived.