this post was submitted on 13 Mar 2024
1017 points (96.9% liked)

Memes

45674 readers
901 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 

Brute force protection

@memes

top 50 comments
sorted by: hot top controversial new old
[–] pearsaltchocolatebar@discuss.online 187 points 8 months ago (3 children)

It's not quite complete without code on the password reset page to tell you that you can't reuse your password.

[–] kryptonianCodeMonkey@lemmy.world 132 points 8 months ago (3 children)

And label the text box "username" when it only accepts email address.

[–] helpImTrappedOnline@lemmy.world 63 points 8 months ago (3 children)

Don't forget to have hidden password requirements and secretly truncate any password longer than 12 characters.

[–] kautau@lemmy.world 34 points 8 months ago

Well yeah, if you don’t truncate the password to 12 chars how will you fit the plaintext in a memory efficient fixed latin1 CHAR column that only accepts letters, numbers, and underscores

/s

load more comments (2 replies)
[–] gravitas_deficiency@sh.itjust.works 13 points 8 months ago* (last edited 8 months ago) (1 children)

And then validate the email with a custom regex that definitely doesn’t account for all the valid syntax permutations defined by the several email-oriented RFCs

load more comments (1 replies)
[–] flambonkscious@sh.itjust.works 11 points 8 months ago (2 children)

You guys are evil - who shat on your pillow??

[–] bruhduh@lemmy.world 6 points 8 months ago
load more comments (1 replies)
[–] Deebster@lemmy.ml 11 points 8 months ago

I've had that before and I'm very confident the password was correct - my theory is that they'd changed how non-ASCII characters like £ were handled and their code only half recognised my password.

[–] bitwolf@lemmy.one 5 points 8 months ago* (last edited 8 months ago) (1 children)

I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!!! And #### etc

load more comments (1 replies)
[–] gibmiser@lemmy.world 131 points 8 months ago (4 children)

As a non programmer, is the joke that humans will retype their password assuming that they made a typo?

If so, sick indeed.

[–] Infynis@midwest.social 105 points 8 months ago (1 children)

The guy coding made it so, on your first attempt, even if you answer correctly, it will tell you your login failed due to incorrect username or password, to joke about how it feels like you always get it wrong on the first try

[–] soloner@lemmy.world 17 points 8 months ago* (last edited 8 months ago) (2 children)

The logic is bugging me, though. It should be if isFirstAttempt || !isPasswordCorrect

I understand the meme is trying to convey in spite of being correct to still return an error, but then it doesn't account for when the password is actually incorrect.

[–] QuaternionsRock@lemmy.world 48 points 8 months ago* (last edited 8 months ago)

That defeats the brute-force attack protection…

The idea is that brute-force attackers will only check each password once, while real users will likely assume they mistyped and retype the same password.

The code isn’t complete, and has nothing to do with actually incorrect passwords.

[–] reflectedodds@lemmy.world 17 points 8 months ago (1 children)

Like the other person said, it's not meant to always fail the first time you enter any password.

It is meant to fail the first time you enter the correct password.

load more comments (1 replies)
[–] HopFlop@discuss.tchncs.de 86 points 8 months ago

Yeah, hackers have automated tools and they will, of course, only try each password once.

[–] NutWrench@lemmy.world 11 points 8 months ago

I would assume that I was being phished and the attacker wanted me to re-type the password to verify that it's correct.

load more comments (1 replies)
[–] Matriks404@lemmy.world 78 points 8 months ago* (last edited 8 months ago) (1 children)

Well, I sometimes input the same password 15-times in a row, and it works only on the last try. ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

load more comments (1 replies)
[–] Cruxifux@lemmy.world 59 points 8 months ago (1 children)

I swear this is what some websites do

[–] wesker@lemmy.sdf.org 15 points 8 months ago (1 children)

Cell phone lock screens too.

[–] Cruxifux@lemmy.world 15 points 8 months ago (2 children)
load more comments (2 replies)
[–] aiden@lemm.ee 38 points 8 months ago (1 children)

This could actually work though lol, it's genius

[–] OpenStars@startrek.website 62 points 8 months ago (5 children)
[–] Gradually_Adjusting@lemmy.ca 12 points 8 months ago (13 children)

Rainbow tables and presumably newer stuff I haven't heard of make this sort of thing weaker than it used to be

[–] lauha@lemmy.one 30 points 8 months ago (4 children)

Salting makes rainbow tables pretty much useless, and salting has been a standard practise for a few decades now.

load more comments (4 replies)
[–] Whelks_chance@lemmy.world 18 points 8 months ago

How does a rainbow table help here? They're more for decoding unsalted encrypted database tables, rather than for actually trying to login.

[–] Clent@lemmy.world 13 points 8 months ago

The rainbow table would have to include every four word combination. At around half a million words in the English dictionary, that's not a small number.

As another XKCD comic illustrates, it's cheaper to use a wrench.

[–] saigot@lemmy.ca 12 points 8 months ago* (last edited 8 months ago) (4 children)

Dictionary attacks have been around for a long time, but It's still quite strong especially if you throw in a number.

A fully random 8 character password has about 10^14 brute force combinations (assuming upper and lower case + the normal special characters). 4 words choosen at random from the top 3000 words (which is a very small vocabulary really) is 10^13 dictionary attack combinations, add a single number or account for variations in word style (I.e maybe don't always use camel case) and you've matched the difficulty. If you use 5 words it's 10^17 combinations.

A password manager and a hard password is a better idea but there are cases where you can't use a password manager (like the password to said manager).

load more comments (4 replies)
load more comments (9 replies)
[–] Rustmilian@lemmy.world 10 points 8 months ago* (last edited 8 months ago) (1 children)

Example of what My passwords are like :
%*7EfOLkN@6AP28!8Dl#
or potentially if allowed :
W@c2wYnN9J3xGcyc47#ZkHJvt&Hm%q&Ad0b&Xwz#jnl4Th%6UBexD16a$YBFc@svnVrCBxXP0EpwLp6%Gk*Lom%@Qq#DjY1zsf0CzIrHHqPc8gt4edDVsg!omj*kIsIJ
Good luck guessing my shit.

[–] smileyhead@discuss.tchncs.de 10 points 8 months ago (4 children)

Amateur! Strong enough passwords are like:

ÕÚüd¸2stb½õ~jëv×Â/oyÓh²î´t¶»Ö°ÍðoNVRïé2Wc4'H,CâÞó_ökÅ,Kð¡X9ÄÀ.þTØÓoæ73d*ëÞ¢?²i"`צeÉçß,ÎÅëüS.¹([)ãÒÑêf9÷¿¢=@Á×ÅQÎÂßu¸Å(iRZµîw&ãR
[–] MeatPilot@lemmy.world 13 points 8 months ago

That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!

[–] Rustmilian@lemmy.world 9 points 8 months ago* (last edited 8 months ago) (7 children)

Try this on for size :

`'�d+�t<�5mF�qrqcmv/�F��~��Yv�Om�/lK�RɏY%ɺP1�h�Ryl-�G/��m�ʰ�+^)��<>�itdkaz�q2HA*1�PK�D@{9�vN.<}�~ٕ�_�26IA/cHIn����1ĈҾܒl�I9$�vA��W¸ȶW"z�}θ�x�,>~�Ux�SJZ\�5ÀI��F}nLZT�;KӚq�&NQo32y7���0"^LÎs>��j!��V��k��2O<2W�ƽYcA#8�J�Of�pهZb�%1g�w�!k*h(ʶ73�@�CC�hUsԺe!_��dR�ٞpvG|.=4{v"&.��m=_�͚DZZף�aaZ��Cq�!sG1T3�=2lb,����^�镰n)Ld]��Ϯ

What's my power level now?

load more comments (7 replies)
load more comments (2 replies)
load more comments (3 replies)
[–] Boop2133@lemmy.world 34 points 8 months ago

The one guy got grey hairs in-between slides lol

[–] TORFdot0@lemmy.world 29 points 8 months ago (5 children)

If they had the password right the first try, that isn't a brute force attack, thats a credential leak.

[–] UnrepententProcrastinator@lemmy.ca 19 points 8 months ago

I think the author attempted first time login to be with the right password.

[–] winterayars@sh.itjust.works 16 points 8 months ago

It should be that it rejects the password the first time it's entered correctly but accepts it on every subsequent try. That actually would provide some protection against like dictionary attacks and raw brute force attacks.

[–] iAvicenna@lemmy.world 9 points 8 months ago

could also work in a brute force scenario, but first attempt would be not first attempt in a set amount of time but first attempt for each password by the user in a fixed amount of time

load more comments (2 replies)
[–] plaidman@programming.dev 28 points 8 months ago

This is negging for auth.

[–] kandoh@reddthat.com 24 points 8 months ago (2 children)

That's actually pretty smart

[–] aggelalex@lemmy.world 8 points 8 months ago (4 children)
load more comments (4 replies)
load more comments (1 replies)
[–] pythonoob@programming.dev 16 points 8 months ago

Fine I'll just change my password to what I thought it should be.

*New password cannot match old password

[–] Pacmanlives@lemmy.world 14 points 8 months ago (6 children)

I remember in college editing OpenSSH source code to instead of return wrong password to a root shell prompt just to stop brute force attacks

load more comments (6 replies)
[–] finkrat@lemmy.world 14 points 8 months ago* (last edited 8 months ago) (4 children)

Won't protect against an offline attack (just will confuse the hell out of the hacker) but might confound an online attack? Until someone gets wise and runs the tool a second time. Loving the chaotic neutral vibes here.

load more comments (4 replies)
[–] cobra89@beehaw.org 9 points 8 months ago (4 children)

Not to be pedantic but wouldn't it be IsFirstLoginWithAttemptedPassword or am I missing something?

[–] chraebsli@programming.dev 7 points 8 months ago (3 children)

no, since it first checks if the password is correct. if it is, display error message. if it is corrent and the second time, accept the password (code not in screenshot) but if the password is wrong, it doesnt check if it is the first attempt.

load more comments (3 replies)
load more comments (3 replies)
[–] normalexit@lemmy.world 8 points 8 months ago

This is a really interesting idea, but a password manager would throw a wrench in it.

I'd assume my password was invalidated or stored incorrectly, so I'd reset, then I'd try to log in, wtf... this website blows.

[–] TheCheddarCheese@lemmy.world 6 points 8 months ago

took me a solid 30 seconds of re-reading to get the joke

load more comments
view more: next ›