Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> You have to stop the bots from trying to brute force user accounts and passwords.

That shouldn't be an issue if the passwords have enough entropy.



>>> if the passwords have enough entropy.

Allow me to optimize your statement.

    >>> if False


What does it mean? Users always pick low-entropy passwords?


Almost always. It's gotten better with the rise of password managers that generate random passwords, but otherwise, passwords are usually shared across many websites and usually less than 16 characters.


Not "always". But you should not build your systems based on the assumption that passwords will be strong enough.


No amount of entropy mitigates a successful credential stuffing attack.


No amount of anything mitigates a successful attack; otherwise it wouldn't be successful.


It could be argued that once you use a password more than once its entropy decreases automatically.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: