Why wouldn’t exponential API rate limiting not solve this brute force issue? | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

sockaddr on Dec 13, 2022 | parent | context | favorite | on: Ask HN: If I get locked out of everything, please ...

Why wouldn’t exponential API rate limiting not solve this brute force issue?

the_third_wave on Dec 13, 2022 [–]

Because brute force does not imply a high rate. You can brute force a password by making attempts on an irregular schedule, a few attempts per hour. That will not be caught by any rate limiter as it would make the service unusable for regular users with fat fingers or misconfigured keyboards.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact