Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But you can guess any whole number if you have an unlimited amount of tries. if you are interacting programmatically with a live system there is always a limit to the number of tries that you can do.


Hence the need for rate limiting to prevent brute force enumeration.


TFA (and the paper) specifically address rate-limited guessing, with a complete lockout after a small maximum #tries.

This is not about unlimited guessing, obviously, because 4 or even 6 digits can just be guessed in under a second!


iPhones and most other devices are limited. After a few tries, you will start down an increasing lock-out time for the next guesses. The back out does not apply to changing the PIN of an unlocked phone to see if that PIN gives a warning.

TL;DR: You can find the blacklist this way but not unlock a phone.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: