isFirstSuccessfulLoginAttempt
Important distinction.
Yeah, as it is it only works if the brute force algorithm gets it on the first try.
Or the variables are terribly named
Boho sort is O(1) in the best case scenario
How does this ‘kinda work’?
It rejects the first [correct] login attempt (it’s worded poorly). It assumes that a brute force attacker will try any given password once and move on, while a human user will think they made a typo and try again. This works until the attacker realizes that it takes two attempts, in which case it merely doubles the attempts required to breach the account, and simply requiring an additional password character would be vastly more effective.
What a shitty user experience for regular users.
which is why they made a comic instead of a revolutionary thought leading blog post
Hey now, I’m sure there’s someone on LinkedIn suggesting this exact thing with layers of corporate speak.
Just like captcha
Agreed, and also makes it readily known that that is what you are doing.
The sneakier more user friendly way to implement it would be to require the second correct attempt only if the user has made an incorrect attempt since the last successful login.
All tools that bruteforce passwords attempt each password only once, and if it doesn’t work, discard it. Nobody really runs 2 identical attacks back to back (they’re incredibly slow when done over the internet), so the password would seem uncrackable at first glance.
This approach wouldn’t work with hash cracking, vault breaking or file encryption, because once they get their hands on the hash/vault/file, the attacker can use their own code for hashing/checking a password candidate.
They’ll change the correct password every time because they are told it is wrong.
Don’t worry, a not-insignificant number of users probably use “Forgot Password?” every time because they can’t keep track of the correct one. Lol
I suspect this is why we started to see all those “use a temporary password instead” options lately. XD
deleted by creator
You are very confident in your ability to not make a typo.
How to make a typo when using password manager?
I tell you how. Password manager fills the input just a bit too fast so that misused react handler goes into race condition and skips last character.
You’re still typing PWs? I c&p them from Keepass.
How do you log on to your computer?
On my last job we had fingerprint scanners for that.
Memorize the disk encryption password, memorize the keepass database password… wallah
deleted by creator
