That's weird. My initial post nor the post I responded to said anything about hashes. My initial post was responding to someone talking about using a dictionary attack to get someone's password. I presume you falsely think my "initial post" was the one in response to AC-x which it wasn't. I also very much do know what a hash is. You and him seem to have a reading comprehension problem since you failed to understand my post. The point of my post was to say that, yes, having a password hash which you can use to try to recreate the original password does defeat what I stated, but that is tautological. If you can do an end run around the authentication protections it is no different than, as I said in an analogy, to having someone's PIN to their phone. I never once stated that having a hash was the same as having a plaintext password nor was their any such implication. Him stating that I believed the two were the same is basically a false presumption on his part by failing to understand my analogy.

I only messed up a quote once out of more than a dozen posts. Yeah, I totally don't know how to quote properly. Oh wait, I do.

Do you have an actual argument or just stupid ad homs like AC-x?

I would mod you up if I had points. I'm glad some people actually bothered to read and comprehend the context of my posts. Thank you!

At this point I will simply give up because I can't win when being bombarded by all these people twisting my words and taking me out of context.

And that changes the fact that you redefined dictionary attack how?

Yes, because I was not wrong. Dictionary attacks are still dictionary attacks even if the attacker does not have password hashes. A dictionary attack simply means that the attacker has a list of dictionary words that can be used to try to guess the user's password. Nothing more.

Don't have it. Nice ad hom, though.

Did you read his whole post?

I also said this as well. Of course if you have no clue that you were attacked you can't employ such a measure. Isn't that quite an obvious implication? Secondly, there is no way any single website can prevent password reuse, so as such both him and I both acknowledged that was another weakness. As he also said:

Should be "Notice how neither that quote or even the rest of the article makes any mention".

And here is an article on Dictionary Attacks by Jeff Atwood. Notice how nowhere in the article does he mention anything about already having password hashes? And here is the original article from Wired about the very dictionary attack used against Twitter which is the context of Jeff's article. Here is a nice relevant quote:

Notice how that quote or even the rest of the article makes any mention of the attacker already having hashes yet it was still called a dictionary attack.

Already mentioned in another post. At that point, you just lock the account entirely and just ignore any and all further login attempts into you can get in contact with the account holder and work out things from there. It's an inconvenience for them, but much better than a breach.

Better they be kept out of the service for some period of time versus their account being breached. You can also get around this by some sort of whitelisting mechanism paired with a two-factor authentication.

It's amusing how everyone is telling me that my ideas are bad yet they are basic security measures that almost every decent website and service use. I can even name drop Jeff Atwood to back me up as well:

http://blog.codinghorror.com/d...

And even Bruce Schneier agrees and quotes the very same article:

http://www.schneier.com/blog/a...

So are you guys going to tell me how Jeff Atwood and Bruce Schneier are idiots and don't know anything despite the fact that what I said is basically parroting their own suggestions?

I fully understood what he put forth and repeatedly stated that it had no relation to the context of my original statement.

Not true. A dictionary attack has no such prerequisite. Dictionary attacks are used all the time even when you have no grabbed hash. You're simply redefining the term.

Wikipedia:

Funny, not a single mention of a grabbed hash and I can find many such more definitions and explanations that also contain no such prerequisite.

Sure, that is a problem but it's not as if any single site can prevent that. As I've said over and over again, nothing of what I have stated is perfect since there is no such perfect security measure. As stated numerous times, my comments about certain things are always within a certain context.

To offer up an analogy to the way AC-x has been attacking me: My original post would be like me talking to someone who says that it's pretty easy to pick a lock that has an external keyhole (which is certainly true in many situations), and then I come back by saying that in such a case you should have a deadbolt that has no way to be unlocked externally. AC-x then comes into the conversation to tell me about how if the person has a sledgehammer that they can just brute force there way around the deadbolt problem. I then come back and say, sure, they could also simply break a window to bypass the deadbolt as well. And then he comes back telling me about how I'm stupid and don't know anything of how deadbolts and sledgehammers work.

Now, his statement is surely true that a sledgehammer breaking through a door will certainly be able to bypass a deadbolt. He is also correct that having previously infiltrated a system you can try to offline brute force a password so that you can get in without hitting any of the mitigations I brought. But that was not the context of the response that I made to the person which was simply that of someone trying to dictionary attack a site without having any prior knowledge about the user's password (or in the hypothetical situation the person simply has a lockpick set not a sledgehammer).

To add, I want to again stress that what I stated is not a catch-all for any and all potential attack vectors. It was simply made in the context of a person attempting to dictionary attack a user's password without them already having a password hash list or any other information from having previously breached your system. Anything beyond that scenario obviously requires further mitigations and procedures being in place.

After the first 5 failed logins you don't allow ANY logins for the cooldown period so having a botnet does't really help you. Also, it would be trivially to detect that someone is hopping from IP to IP to try to login to the same account as this would not be something a normal user would ever do. At that point you simply lock the account entirely, ban any of the IPs that continue to try to login to the account and then work from there.

Which is a different scenario than what I was referring to. In that case you better hope you detected the attack or else you are basically fucked.

Brute forcing is getting easier. That is why you simply make your site an unattractive one to attack by making it so they can only do a very small amount of attempts before hitting a cooldown and then an eventual total account lock. Sure, this can be an annoyance to a user, but it's much better than their account being breached. But again, if the attacker already has a password hash list from already cracking your system, they have a much easier go at you especially if they can find out you didn't salt the hashes (or you used a weak PRNG for the salting, etc.) or do any other proper procedures.

A very valid concern and as I address in another post it is not a perfect solution. There is no way to prevent users from reusing passwords across sites nor will there ever be foolproof way to spot every intrusion. But then again, no security procedure is perfect and anyone stating otherwise is selling you snake oil.

And as I've had to state over and over again (and this isn't meant against you wagnerrp), my statement about rate limiting, etc. was in the context of a post that did not mention an attacker already having compromised the system and having a DB dump with all the password hashes. That is a completely distinct scenario than the one I referred to and obviously would require other mitigations.

Thank you! Someone that actually took the time to figure out the context of my statements.

Nope, because I never claimed that. You misunderstood my point and started falsely assuming things.

Of course it is predicated on knowing you've been attacked. I was pretty sure that would be quite obvious. Of course, if you've been attacked and have no knowledge of it that these security measures won't prevent an attacker from being able to attack you again after offline brute forcing a password.

And I never said it had anything to do with that scenario. You've basically have been twisting my words into something I never stated or implied and then have applied them to scenarios outside of what I originally responded to. At this point I'm simply just going to ignore you.

Yes, they aren't. But all these scenarios are orthogonal to what I was responding to originally which is someone talking about using a dictionary attack to brute force password.

As I originally responded to AC-x, if the attacker already has the hash and can then brute force it, of course what I mentioned doesn't stop them, but that scenario is no different than knowing their phone's PIN and being able to side step any of the very same protections I mentioned that phone OSes use which is to use a lock-out after a certain number of failed attempts.