I really don't see how that's true, look at how the thread progressed -

AC1: "[We just need better passwords - eg. a complete sentence]"

AC2: "[That password could be broken by a dictionary attack]"

Desler: "Dictionary attacks can be trivially defeated by [rate] limiting"

Me: "Unless you have the password hash"

Desler: "(Insults) ... But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all."

Me: "[Password hashes are one way only so still need to be attacked, weak passwords are susceptible to brute forcing the hash]"

Desler: "Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker."

Me: "[Rate limiting doesn't apply to brute force cracking of hashes]"

Desler: "(more insults) Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone."

Seriously, between him throwing insults and going on about rate limiting preventing brute forcing a hash, where have I misread what Desler said?

If that were the only password like it in a database that's true, but if we're suggesting a new password scheme that's adopted (like the XKCD several random words password) then a password made from a valid sentence like that would be easier to crack than a nonsense sentence.

The problem with that scheme is if you let users pick their own passwords they tend to follow certain patterns that make them easier to brute force.

As I've had to point out many times knowing the hash is very different to knowing a pin code. Seriously here's an SHA1 hash, can you reverse it? b6faa93a9e6ca445875c6b5511e2153bb51ef43a

The point you've been missing from the original AC's post is that some password schemes are much easier to brute force (eg. with a dictionary attack) than others. That's completely separate to rate limiting online logins and password resets etc.

But the real point is that's got nothing to do with having a password scheme strong enough to defeat a dictionary attack, which is what the AC above posted about.

In theory password hashes can be uncrackable, in practise most people pick passwords that can be cracked using a dictionary attack.

Coming up with a password scheme that is easier for people to remember but more difficult to brute force would be a huge step forward in IT security, and more useful than relying on all websites to never leak password hashes.

Yes you did:

"But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all." - No, you still need to attack (brute force) the hash to extract the password.

"Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary." - As written by you direct reply to a post about having the hash of a password, and is completely irrelevant if you have a hash.

The point is having a strong (not dictionary attackable) is preferable as it protects against password cracking proactively. Resetting a user's password after a hack is simply not as good as having a strong password that can't be cracked.

You trolling or what?

Do you notice that nowhere in that quoted statement is there anything about the attacker performing a dictionary attack using online login attempts?

It's rare for someone to attempt an online dictionary attack because it's slow and obvious. My post that, in the more likely real-world scenario of hackers having the password hashes, passwords are still vulnerable to (offline) dictionary attacks is absolutely true. To think that rate limiting of online logins can defeat dictionary attacks is foolhardy...

By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?

That's no solution: 1) Relies on the attack being detected in the first place. 2) If the user has reused their password elsewhere this doesn't reset those too. It's also completely irrelevant to the question of being able to dictionary attack a password.

Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.

You probably shouldn't try to write about things you don't know about or understand.

1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay, Linkedin, LivingSocial etc.)

3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

You seem to have no clue what a password hash actually is. The whole point of a cryptographic hash is it's one way operation; You can turn a password into a hash easily, but you can't turn a hash into a password without brute forcing it.

Having a hash of a sufficiently string password is perfectly safe, in fact here's one now, bet you can't find the password from it. It's a basic SHA1 hash, not even salted: b6faa93a9e6ca445875c6b5511e2153bb51ef43a

However if a chosen password appears in a password dictionary than you can cut down your brute force search space by so much it goes from taking years (even centuries) to crack a password to taking a few hours (sometimes minutes).

Unless they have a copy of the password hash

Yes, corporations with premises in the City of London are given a number of votes in local elections based on the number of employees they have.

"entirely new CPU architecture" ? The A7 uses a 64 bit variant of ARM. If you want a mobile OS that's been ported to completely different CPU architectures then look at Android; It supports ARM, MIPS and x86. They can even run the same apps.

Yeah, I hope that's a joke, because I did a survey of people in the smoking area of a bar and found that 19 out of 20 of them smoked. Extrapolated to the population of Earth that makes 6.7 billion smokers...