isFirstSuccessfulLoginAttempt
Important distinction.
Yeah, as it is it only works if the brute force algorithm gets it on the first try.
Boho sort is O(1) in the best case scenario
i guess you mean bogo sort? just verifying that output is sorted requires O(n). In Quantum bogo sort, you can skip verification.
Yeah, stupid autocorrect. And verifying ain’t the same as doing. I’ll come in, I’ll “sort” your data, and I’ll do it damn fast. You want verification that’s extra!
but how do you know you are done. maybe there are different ideas of what bogo sort is, but as i remember, it is basically a while true (or while false loop) with condition - while list_is_not_sorted { return_a_random_ordering }
Or the variables are terribly named
No, it just means you have to type in the correct password twice in a row.
SessionSuccessfulLogins == 1
Suggesting that an authorized user would re-attempt the correct login?
I have only one real-world example of a site where I would do that, and it’s because I know that it behaves this way (though for that site, if I had to guess, it’s likely a bug related to poorly designed async handling rather than an explicit check like in the comic). In most cases, I would assume PW recorded incorrectly in the first place and go straight for the password reset workflow.
Not sure how representative that user behavior is, but the population is N ≥ 1.
You are very confident in your ability to not make a typo.
How to make a typo when using password manager?
I tell you how. Password manager fills the input just a bit too fast so that misused react handler goes into race condition and skips last character.
You’re still typing PWs? I c&p them from Keepass.
How do you log on to your computer?
How does this ‘kinda work’?
They’ll change the correct password every time because they are told it is wrong.
Don’t worry, a not-insignificant number of users probably use “Forgot Password?” every time because they can’t keep track of the correct one. Lol
I suspect this is why we started to see all those “use a temporary password instead” options lately. XD
All tools that bruteforce passwords attempt each password only once, and if it doesn’t work, discard it. Nobody really runs 2 identical attacks back to back (they’re incredibly slow when done over the internet), so the password would seem uncrackable at first glance.
This approach wouldn’t work with hash cracking, vault breaking or file encryption, because once they get their hands on the hash/vault/file, the attacker can use their own code for hashing/checking a password candidate.
It doesn’t. Cracking programs don’t use the user login form repeatedly. They use the same algorithm that creates the publicly encoded password to generate encoded passwords and keep going until they have a match. Besides getting the encoded password and salt, everything is done offline.
This just creates a really bad user experience.
If they actually use the real login form, most websites block an account after X attempts. Sometimes for 1-24 hours, sometimes until you do a PW reset
It rejects the first [correct] login attempt (it’s worded poorly). It assumes that a brute force attacker will try any given password once and move on, while a human user will think they made a typo and try again. This works until the attacker realizes that it takes two attempts, in which case it merely doubles the attempts required to breach the account. Simply requiring an additional password character would be vastly more effective.
What a shitty user experience for regular users.
Just like captcha
which is why they made a comic instead of a revolutionary thought leading blog post
Hey now, I’m sure there’s someone on LinkedIn suggesting this exact thing with layers of corporate speak.
Agreed, and also makes it readily known that that is what you are doing.
The sneakier more user friendly way to implement it would be to require the second correct attempt only if the user has made an incorrect attempt since the last successful login.
Look, we all need to pay a little for the greater good of security.
/s
Yup it’s like how software companies will get a hate on for pirates and take it out on their loyal paying cutosmers
I swear Microsoft does that.
Even worse the silent invalidation of a correct password.
Use password manager.
Can’t log in, because “password is incorrect”… Fuck you! It is not! I copied in the same fucking thing as months before! If you want to force me to change it then say it! Asshole!
sorry, but your new password cannot be the same as your current one.
Is this Tron: Ares?
At least make it
if !isPasswordCorrect || isFirstTryguard isFirstAttempt { return LoginError(); }
Center guy’s hair got visibly lighter from the stress
Removed by mod
The only part that works is that I get to keep my trust issues.
