On Wed, Oct 26, 2011 at 7:59 AM, Andre Engels andreengels@gmail.com wrote:
I do seriously wonder whether it is possible to steal such a password 'within minutes or hours'. My calculation says that to do it within 24 hours, one needs to test 40 million passwords per second. And remember that 'testing' in this case means sending a message to the Wikimedia servers and waiting for an answer. Surely getting over 1000 times the normal number of requests per second (I have no number for the total number of requests, but the number of page requests seems to be around 6000 per second) is something that would not remain unnoticed at the Wikimedia servers for 24 hours.
Ignoring the fact that most wiki's are throttled to 5 login attempts in 5 minutes per IP.
So you can really only check 60 an hour or 1440 a day per IP. So with 114 Billion/hr rate needed and limited to 60/hr you'd need about 2.4 Billion IP addresses.