DEV Community


Discussion on: How Do Brute-Force Attackers Know They Found The Key?

franky47 profile image
François Best

In the case of passwords, this rate-limiting is implemented by the use of "slow-by-design" password hashing functions, such as Bcrypt/Scrypt, Argon2, PBKDF2 etc..

And this is why simply hashing a password is never safe, even if the key space is large: if a one-way operation is fast, a brute-force attack can be scaled, while it's much harder if it takes hundreds of milliseconds for a single try.

Now the use of GCM authentication to detect a valid key in an attack is interesting, do you have examples where this feature was used in an actual attack ?