There are no assumptions here, it's well known that a high percentage of users reuse the same password for multiple sites, including their email. Therefore if you crack an average user's account on a site you've got a good chance of also having their email address password. Obviously having control of someone's email is ground zero as far as getting account credentials is concerned, but even if they use a different password for email there could be connected sites (such as the Sony example in the link) that many users use the same login for, so a breach in a "low importance" service could expose users on more important service from the same company.

Banks will lock you out on the 2nd or 3rd failed attempt. A quick Google finds plenty of sites like Paddy Power and Yahoo lock accounts after a few bad password entries.

Most sites at least switch to a captcha after several failed logins too.

You should still only allow a certain number of failed login attempts for a given username. Sure it's rare to brute force via an online login, but it's worth doing to protect a user's account. Sure it sucks for that individual user to have the small possibility of being locked out their account temporarily, but it's not as bad as losing their account and also discourages any hacker from hammering your server and sending your entire site down in an actual DOS.

The email address they used to register is the obvious one. They may also have connected social media accounts to whatever site got hacked.

Sorry Desler you can't just say I was only talking about dictionary attacks on rate limited login portals, so no-one is allowed to talk about anything else, if you're going to mention dictionary attacks then attacking hashes will always be part of that discussion whether you want it to be or not.

Indeed, although whatever hashing scheme you have, having a password that's findable in a dictionary attack will always be much quicker than one that needs to be completely brute forced.

I really don't see how that's true, look at how the thread progressed -

AC1: "[We just need better passwords - eg. a complete sentence]"

AC2: "[That password could be broken by a dictionary attack]"

Desler: "Dictionary attacks can be trivially defeated by [rate] limiting"

Me: "Unless you have the password hash"

Desler: "(Insults) ... But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all."

Me: "[Password hashes are one way only so still need to be attacked, weak passwords are susceptible to brute forcing the hash]"

Desler: "Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker."

Me: "[Rate limiting doesn't apply to brute force cracking of hashes]"

Desler: "(more insults) Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone."

Seriously, between him throwing insults and going on about rate limiting preventing brute forcing a hash, where have I misread what Desler said?

If that were the only password like it in a database that's true, but if we're suggesting a new password scheme that's adopted (like the XKCD several random words password) then a password made from a valid sentence like that would be easier to crack than a nonsense sentence.

The problem with that scheme is if you let users pick their own passwords they tend to follow certain patterns that make them easier to brute force.

As I've had to point out many times knowing the hash is very different to knowing a pin code. Seriously here's an SHA1 hash, can you reverse it? b6faa93a9e6ca445875c6b5511e2153bb51ef43a

The point you've been missing from the original AC's post is that some password schemes are much easier to brute force (eg. with a dictionary attack) than others. That's completely separate to rate limiting online logins and password resets etc.

But the real point is that's got nothing to do with having a password scheme strong enough to defeat a dictionary attack, which is what the AC above posted about.

In theory password hashes can be uncrackable, in practise most people pick passwords that can be cracked using a dictionary attack.

Coming up with a password scheme that is easier for people to remember but more difficult to brute force would be a huge step forward in IT security, and more useful than relying on all websites to never leak password hashes.

Yes you did:

"But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all." - No, you still need to attack (brute force) the hash to extract the password.

"Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the very beginning of the dictionary." - As written by you direct reply to a post about having the hash of a password, and is completely irrelevant if you have a hash.

The point is having a strong (not dictionary attackable) is preferable as it protects against password cracking proactively. Resetting a user's password after a hack is simply not as good as having a strong password that can't be cracked.

You trolling or what?

Do you notice that nowhere in that quoted statement is there anything about the attacker performing a dictionary attack using online login attempts?

It's rare for someone to attempt an online dictionary attack because it's slow and obvious. My post that, in the more likely real-world scenario of hackers having the password hashes, passwords are still vulnerable to (offline) dictionary attacks is absolutely true. To think that rate limiting of online logins can defeat dictionary attacks is foolhardy...

By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?

That's no solution: 1) Relies on the attack being detected in the first place. 2) If the user has reused their password elsewhere this doesn't reset those too. It's also completely irrelevant to the question of being able to dictionary attack a password.

Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.