Hacker News new | past | comments | ask | show | jobs | submit login

Not normally, but it does open up a DoS vector that at the very least will prevent legitimate users from logging in.



It's one of thousands of DoS vectors, all of which are addressed the same way: coarse ad-hoc anomaly filters.


But its a non-obvious (imo) attack vector opened simply by switching to scrypt / bcrypt.

In a perfect world, quality web apps have rate limiting built into their auth schemes. But it's important to acknowledge these two algorithms will put a much heavier burden on your CPU.


Most DoS vectors are non-obvious, so this seems like a very weak reason to change the way you do password hashing.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: