"Do Strong Web Passwords Accomplish Anything?"
must worry about attacks on more than a single user account
- attacking multiple users at the same time?
attacker can search all possible userID’s for a given password
- pick a random password from 500 and use it to attack m password in rockyou
the ten million trials at BigBank will amount to only one unsuccessful login per account.
- test a single account once, meaning above is correct
All the attacker requires is to make ten million trials with randomly chosen PINs to harvest, in expectation, ten successful break-ins
- implies we change the password every trial?
"Where Do Security Policies Come From?"
A bulk-guessing attack occurs when the attacker distributes the guesses among many different accounts.
- ?
rather than send one million password attempts against a single account the attacker may send one attempt each against a million different accounts
- confirms we use one password against many accounts
no account receives an unusual amount of traffic
- ?