In the case of passwords, this rate-limiting is implemented by the use of "slow-by-design" password hashing functions, such as Bcrypt/Scrypt, Argon2, PBKDF2 etc..
And this is why simply hashing a password is never safe, even if the key space is large: if a one-way operation is fast, a brute-force attack can be scaled, while it's much harder if it takes hundreds of milliseconds for a single try.
Now the use of GCM authentication to detect a valid key in an attack is interesting, do you have examples where this feature was used in an actual attack ?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
In the case of passwords, this rate-limiting is implemented by the use of "slow-by-design" password hashing functions, such as Bcrypt/Scrypt, Argon2, PBKDF2 etc..
And this is why simply hashing a password is never safe, even if the key space is large: if a one-way operation is fast, a brute-force attack can be scaled, while it's much harder if it takes hundreds of milliseconds for a single try.
Now the use of GCM authentication to detect a valid key in an attack is interesting, do you have examples where this feature was used in an actual attack ?