Hacker News new | past | comments | ask | show | jobs | submit login

And add other defensive mechanisms like lockout after n retries.



Unless you are using a hardware based pin. Lockout is useless. I can just backup the file before lockout and restore

Or… I can just stop the software, change computer time. And the timeout is over.


That's a bit like putting a website password check in the client-side JavaScript. Attacker removes lockout, continues brute-forcing.

There really isn't a solution if the entropy is low and the enforcement mechanisms are in the hands of the attacker. Even a TPM or secure element is just a financial obstacle to a sufficiently motivated attacker.


> Even a TPM or secure element is just a financial obstacle to a sufficiently motivated attacker.

For sure, but currently it's a fairly big step function for an attacker to have to teardown a TPM (or find a vulnerability in its firmware).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: