How long before a challenge is brute forced? #14

lil5 · 2024-10-10T06:52:40Z

lil5
Oct 10, 2024

This good to know when creating lifetime for a challenge

Oct 10, 2024

So, just to be clear, the challenge is just a random value, in our case with 18 bytes / 144 bit of entropy by default.

If the attacker has eavesdropped an authentication payload, and wants to "repeat" the login using the same payload, hence the same challenge, he would have to send on average roughly 10^43 requests to your server ...that's a lot of zeroes.

View full answer

dagnelies · 2024-10-10T10:13:57Z

dagnelies
Oct 10, 2024
Maintainer

So, just to be clear, the challenge is just a random value, in our case with 18 bytes / 144 bit of entropy by default.

If the attacker has eavesdropped an authentication payload, and wants to "repeat" the login using the same payload, hence the same challenge, he would have to send on average roughly 10^43 requests to your server ...that's a lot of zeroes.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Passwordless.ID

How long before a challenge is brute forced? #14

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Passwordless.ID

How long before a challenge is brute forced? #14

lil5 Oct 10, 2024

Replies: 1 comment

dagnelies Oct 10, 2024 Maintainer

lil5
Oct 10, 2024

dagnelies
Oct 10, 2024
Maintainer