Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
NoGravitas 9 days ago

If they are doing this to 125,000 accounts, they should get an average of one account per day, right? So on average it would on average take them 342 years to get any specific account, but as long as they aren't trying for any particular account, they've got a pretty good ROI.

I guess the fix for this would be exponential backoff on failed attempts instead of a static quota of 4 a day?

vdfs 9 days ago | parent [-]

Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking

MiddleEndian 9 days ago | parent | next [-]

It's never truly guaranteed and the numbers aren't quite one account per day at 125k accounts, but:

10^6 digits = 1,000,000 possibilities

125,000 accounts x 4 attempts per account per day = 500,000 attempts per day

---

1-(1-1/1,000,000)^500,000 ≈ 39%

So every day they have a roughly 39% chance of success at 125,000 accounts.

---

At a million accounts:

1-(1-1/1,000,000)^(4×1,000,000) ≈ 98%

Pretty close to 1 account per day

Off by a factor of 4 but the concept stands.

---

And 125k accounts will be close to guaranteed to getting you one each week:

1-(1-1/1,000,000)^(7×4×125,000) ≈ 97%

sobani 8 days ago | parent [-]

> 1-(1-1/1,000,000)^(4×1,000,000) ≈ 98%

> Pretty close to 1 account per day

No, this means there is a 98% chance you get _at least_ 1 account.

`1-1/1,000,000` is the probability you fail 1 attempt. That probability to the 4millionth is the probability you fail 4 million times in a row. 1 minus _that_ probability is that the probability that you _don't_ fail 4 million times in a row, aka that you succeed at least once.

The expected number of accounts is still number of attempts times the probability of success for 1 try, or: 4 accounts.

toast0 9 days ago | parent | prev | next [-]

What are the chances of getting 500,000 guesses (4 each for 125,000 accounts) wrong ? My math says 60%, so probably not one account per day, but if they keep it up for a week and everything else holds, there's only a 3% chance they haven't gotten any codes right.

anonymars 9 days ago | parent | prev [-]

Guess the same code for every account.

Imagine the extreme case, where they pinged one million accounts and then tried the same code (123456) for each one. Statistically, 1 of those 1,000,000 six-digit TOTP codes will probably be 123456