It's not quite complete without code on the password reset page to tell you that you can't reuse your password.
And label the text box "username" when it only accepts email address.
I've had that before and I'm very confident the password was correct - my theory is that they'd changed how non-ASCII characters like £ were handled and their code only half recognised my password.
I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!!! And #### etc
Hopefully they're not sitting the old passwords in plain text and just have the hashes.
As a non programmer, is the joke that humans will retype their password assuming that they made a typo?
If so, sick indeed.
The guy coding made it so, on your first attempt, even if you answer correctly, it will tell you your login failed due to incorrect username or password, to joke about how it feels like you always get it wrong on the first try
Yeah, hackers have automated tools and they will, of course, only try each password once.
I would assume that I was being phished and the attacker wanted me to re-type the password to verify that it's correct.
@gibmiser
Yes exactly 😂
Well, I sometimes input the same password 15-times in a row, and it works only on the last try. ¯\_(ツ)_/¯
if isFirst14Attempts
The one guy got grey hairs in-between slides lol
This could actually work though lol, it's genius
Find a good password here 😏
If they had the password right the first try, that isn't a brute force attack, thats a credential leak.
I think the author attempted first time login to be with the right password.
It should be that it rejects the password the first time it's entered correctly but accepts it on every subsequent try. That actually would provide some protection against like dictionary attacks and raw brute force attacks.
could also work in a brute force scenario, but first attempt would be not first attempt in a set amount of time but first attempt for each password by the user in a fixed amount of time
Don't trust anyone - not even yourself
This is negging for auth.
That's actually pretty smart
@kandoh
Yes haha. This way we can get back to the times where 4 characters passwords were sufficient 😃
Fine I'll just change my password to what I thought it should be.
*New password cannot match old password
Won't protect against an offline attack (just will confuse the hell out of the hacker) but might confound an online attack? Until someone gets wise and runs the tool a second time. Loving the chaotic neutral vibes here.
It doesn't really even protect against online attacks though. Like, if you're going through a list of known accounts, by definition it won't be any of those accounts' first time logging in, right?
And if you're not going through a list of known accounts, good luck getting anywhere with your attack any time this millennia
I remember in college editing OpenSSH source code to instead of return wrong password to a root shell prompt just to stop brute force attacks
A honeypot!
But... arent they logged in as root then? Wdym with "prompt" i am lost
@Pacmanlives
Couldn't you just disable root login in the sshd config?
This is a really interesting idea, but a password manager would throw a wrench in it.
I'd assume my password was invalidated or stored incorrectly, so I'd reset, then I'd try to log in, wtf... this website blows.
took me a solid 30 seconds of re-reading to get the joke
Add a randomizer with 50/50 succeeding for this error
Best idea ever!!!
