Brute force protection

It's not quite complete without code on the password reset page to tell you that you can't reuse your password.

And label the text box "username" when it only accepts email address.
- Don't forget to have hidden password requirements and secretly truncate any password longer than 12 characters.
- And then validate the email with a custom regex that definitely doesn’t account for all the valid syntax permutations defined by the several email-oriented RFCs
- You guys are evil - who shat on your pillow??
I've had that before and I'm very confident the password was correct - my theory is that they'd changed how non-ASCII characters like £ were handled and their code only half recognised my password.
I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!!! And #### etc
- Hopefully they're not sitting the old passwords in plain text and just have the hashes.

As a non programmer, is the joke that humans will retype their password assuming that they made a typo?

If so, sick indeed.

The guy coding made it so, on your first attempt, even if you answer correctly, it will tell you your login failed due to incorrect username or password, to joke about how it feels like you always get it wrong on the first try
- The logic is bugging me, though. It should be if isFirstAttempt || !isPasswordCorrect
  
  I understand the meme is trying to convey in spite of being correct to still return an error, but then it doesn't account for when the password is actually incorrect.
I would assume that I was being phished and the attacker wanted me to re-type the password to verify that it's correct.
@gibmiser
Yes exactly 😂

Well, I sometimes input the same password 15-times in a row, and it works only on the last try. ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

@Matriks404

if isFirst14Attempts

This could actually work though lol, it's genius

- Rainbow tables and presumably newer stuff I haven't heard of make this sort of thing weaker than it used to be
- Find a good password here 😏
- I suspect if the cracking code was constructed such that it had more weight on trying combinations of common words then this would be much easier to crack

The one guy got grey hairs in-between slides lol

If they had the password right the first try, that isn't a brute force attack, thats a credential leak.

I think the author attempted first time login to be with the right password.
It should be that it rejects the password the first time it's entered correctly but accepts it on every subsequent try. That actually would provide some protection against like dictionary attacks and raw brute force attacks.
could also work in a brute force scenario, but first attempt would be not first attempt in a set amount of time but first attempt for each password by the user in a fixed amount of time
Don't trust anyone - not even yourself

This is negging for auth.

That's actually pretty smart

Password managers say hi
- I've never used one
@kandoh
Yes haha. This way we can get back to the times where 4 characters passwords were sufficient 😃

I remember in college editing OpenSSH source code to instead of return wrong password to a root shell prompt just to stop brute force attacks

A honeypot!
But... arent they logged in as root then? Wdym with "prompt" i am lost
@Pacmanlives
Couldn't you just disable root login in the sshd config?
- Oh all of my configs are deny root ssh login or without-password. I noticed a significant decrease in scans when returning a root prompt when I did that. This was also in the mid 2000s so who knows how things would be in this day in age for a reduction in scans

Fine I'll just change my password to what I thought it should be.

*New password cannot match old password

Won't protect against an offline attack (just will confuse the hell out of the hacker) but might confound an online attack? Until someone gets wise and runs the tool a second time. Loving the chaotic neutral vibes here.

It doesn't really even protect against online attacks though. Like, if you're going through a list of known accounts, by definition it won't be any of those accounts' first time logging in, right?

And if you're not going through a list of known accounts, good luck getting anywhere with your attack any time this millennia
- This would be per session, not lifetime.

Not to be pedantic but wouldn't it be IsFirstLoginWithAttemptedPassword or am I missing something?

no, since it first checks if the password is correct. if it is, display error message. if it is corrent and the second time, accept the password (code not in screenshot) but if the password is wrong, it doesnt check if it is the first attempt.
- How does that stop a brute force attack? As written, it only stops the single luckiest brute force attack that happens to get the password right on their first try.
No, it's correct - say your password gets leaked across thousands of passwords. A hacker will try to crack all of them with a program that guesses them once, which as the image suggests defeats these types of programs
@cobra89
Yeah I agree.
You're right, and nothing wrong with being pedantic when working with code :)

This is a really interesting idea, but a password manager would throw a wrench in it.

I'd assume my password was invalidated or stored incorrectly, so I'd reset, then I'd try to log in, wtf... this website blows.

took me a solid 30 seconds of re-reading to get the joke

Add a randomizer with 50/50 succeeding for this error