On Sep 9, 2019, at 2:00 PM, Kirk Brooks wrote: > More to the point of workstation security after 4 > failed attempts 4D itself enforces a 10 second freeze. Sadly this freeze > seems to only apply to every 5th attempt - using both17.2 and 17r6.
And you are “sorry” because? If you think allowing 1 password guess every 2 seconds is not very strong, the math for brute force attempt at bcrypt — which is what I understand 4D uses — would result in 130,000 lifetimes of years of continuous attempts based on one example. Stop reading now if you hate math. https://security.stackexchange.com/questions/182111/mathematically-how-long-would-it-take-to-crack-a-bcrypt-password-hash?rq=1 This link talks about using an "8x Nvidia GTX 1080 Hashcat” GPU — whatever that is — which can calculate 100,000 bcrypt passwords per second. An 8 alphanumeric password of upper and lower case and numbers is 218 trillion different possibilities. But you can only try 1 of those passwords every 2 seconds, on average. So 30 per minute * 60 minutes * 24 hours = 43,200 attempts per day. So take the 218,000,000,000,000 / 43,200 per day / 365 days per year = 13,825,469 years. (I love doing math.) Without the 2 second delay — and checking 13,094 passwords every second — it would still take 528 years! So I don’t think there is any reason to worry about brute force 4D password attacks. :) Tim ***************************************** Tim Nevels Innovative Solutions 785-749-3444 [email protected] ***************************************** ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:[email protected] **********************************************************************
