industry2026-05-236 min read

PBKDF2 200k isn't enough — why every account needs an atomic-counter lockout

Name: thMenu
Rating: 4.9 (127 reviews)
Author: thMenu

PBKDF2 200k iter at ~250ms/attempt slows attackers, but a 100-IP residential-proxy pool runs 47,000 attempts in 12 hours. Worker IP-rate-limit alone can't deter it. thMenu's PR #548 H4 fix: D1_OPS migration 0076 pw_failures composite PK + atomic UPSERT.

thMenu Team

thmenu.com

Found this helpful? Share it.

X / Twitter LinkedIn

✦📈

industry

Why Digital Menus Increase Restaurant Revenue by Up to 30%

Studies show restaurants using digital QR menus see measurable increases in aver…

✦🔻

industry

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

Most SaaS apps run a single line of code when a customer downgrades — but old fe…

✦🛡️

industry

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers

Verifiers that never decode the JWT header are wide open to `alg=none` and alg-c…

PBKDF2 200k isn't enough — why every account needs an atomic-counter lockout

Related articles

Why Digital Menus Increase Restaurant Revenue by Up to 30%

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers