Comment One thing I don't get (Score 1) 267
Ok, if I'm writing a webapp that accepts a password, presumeably if I wanted to increase security somewhat I would put in a guessing rate limiter.
5 strikes and you're out (for a while).
So assuming (a reasonable assumption still in most cases, I hope) that the adversary does not have the file of password hashes, how exactly do they try the trillion guesses per second?
Explain please. I'm sure I'm missing something obvious.