On Wed, Oct 26, 2011 at 7:59 AM, Andre Engels <andreengels(a)gmail.com> wrote:
I do seriously wonder whether it is possible to steal
such a password
'within minutes or hours'. My calculation says that to do it within 24
hours, one needs to test 40 million passwords per second. And remember that
'testing' in this case means sending a message to the Wikimedia servers and
waiting for an answer. Surely getting over 1000 times the normal number of
requests per second (I have no number for the total number of requests, but
the number of page requests seems to be around 6000 per second) is something
that would not remain unnoticed at the Wikimedia servers for 24 hours.
Ignoring the fact that most wiki's are throttled to 5 login attempts
in 5 minutes per IP.
So you can really only check 60 an hour or 1440 a day per IP. So with
114 Billion/hr rate needed and limited to 60/hr you'd need about 2.4
Billion IP addresses.