But it kinda works tho...

isFirstSuccessfulLoginAttempt

Important distinction.

dalekcaan @feddit.nl 4d ago
Yeah, as it is it only works if the brute force algorithm gets it on the first try.
- atopi @piefed.blahaj.zone 3d ago
  Or the variables are terribly named
- Jimbabwe @lemmy.world 3d ago
  Boho sort is O(1) in the best case scenario
- TheseusNow @lemmy.zip 3d ago
  Not even then. Brute force cracking programs don't rely on the server to indicate if the attempted password is correct.
- Simulation6 @sopuli.xyz 3d ago
  No, it just means you have to type in the correct password twice in a row.
funkless_eck @sh.itjust.works 3d ago
SessionSuccessfulLogins == 1

Even worse the silent invalidation of a correct password.

Use password manager.

Can't log in, because "password is incorrect"... Fuck you! It is not! I copied in the same fucking thing as months before! If you want to force me to change it then say it! Asshole!

mckean @programming.dev 2d ago
sorry, but your new password cannot be the same as your current one.

falseWhite @lemmy.world 3d ago

I swear Microsoft does that.

snooggums @piefed.world 4d ago

How does this 'kinda work'?

MyTurtleSwimsUpsideDown @fedia.io 4d ago
It rejects the first [correct] login attempt (it’s worded poorly). It assumes that a brute force attacker will try any given password once and move on, while a human user will think they made a typo and try again. This works until the attacker realizes that it takes two attempts, in which case it merely doubles the attempts required to breach the account, and simply requiring an additional password character would be vastly more effective.
- snooggums @piefed.world 4d ago
  What a shitty user experience for regular users.
black0ut @pawb.social 4d ago
All tools that bruteforce passwords attempt each password only once, and if it doesn't work, discard it. Nobody really runs 2 identical attacks back to back (they're incredibly slow when done over the internet), so the password would seem uncrackable at first glance.
This approach wouldn't work with hash cracking, vault breaking or file encryption, because once they get their hands on the hash/vault/file, the attacker can use their own code for hashing/checking a password candidate.
🇰 🌀 🇱 🇦 🇳 🇦 🇰 🇮 @pawb.social 4d ago
They'll change the correct password every time because they are told it is wrong.
- MonkeMischief @lemmy.today 3d ago
  Don't worry, a not-insignificant number of users probably use "Forgot Password?" every time because they can't keep track of the correct one. Lol
  I suspect this is why we started to see all those "use a temporary password instead" options lately. XD
TheseusNow @lemmy.zip 3d ago
It doesn't. Cracking programs don't use the user login form repeatedly. They use the same algorithm that creates the publicly encoded password to generate encoded passwords and keep going until they have a match. Besides getting the encoded password and salt, everything is done offline.
This just creates a really bad user experience.
- Camelbeard @lemmy.world 3d ago
  If they actually use the real login form, most websites block an account after X attempts. Sometimes for 1-24 hours, sometimes until you do a PW reset

laserm @lemmy.world 3d ago

At least make it if !isPasswordCorrect || isFirstTry

Samskara @sh.itjust.works 3d ago
guard isFirstAttempt { return LoginError(); }

blockheadjt @sh.itjust.works 3d ago

Center guy's hair got visibly lighter from the stress

Septimaeus @infosec.pub 4d ago

accideath @feddit.org 4d ago
You are very confident in your ability to not make a typo.
- sznowicki @lemmy.world 4d ago
  How to make a typo when using password manager?
  I tell you how. Password manager fills the input just a bit too fast so that misused react handler goes into race condition and skips last character.
- CyberEgg @discuss.tchncs.de 4d ago
  You're still typing PWs? I c&p them from Keepass.
- Septimaeus @infosec.pub 4d ago