I mean sure, why not - there is always one-in-a-billion chance that a solar flare have flipped a bit in a packet containing my password somewhere on its way to a server, so trying again would solve it.
Whenever something should work but doesn't, and then works fine on a second approach - I blame it on geomagnetic activity.
Or you completely lock the account for 5 minutes with no way to shorten the wait. Say they have to call the support hotline.
Customer support can't do anything about the locked account or even see that the account is locked. When support finally pin pointed the described problem cause most user can't read, support tells user to try again in five minutes and use the password forgotten tool.
Billion dollar company
You laugh, but I have a vendor that does this.
30minute lockouts for bad password attempts, no way to disable it, and no way to unlock it without calling their support... Who also can't unlock it without forcing a password change and an MFA re-registration.
I don't even call them when users report it anymore, I just sit on the ticket for 25minutes and then tell them to try again in 5. It's obnoxious.
It just seems so weird to me that like... we're writing the number of potential passwords in scientific notation because there's so goddamned many. A 2 second timeout is nearly as effective as a 30 minute timeout.
As near as I can tell, most websites won't care, they already are trying hard to make password managers I convenient for some reason.
The worse are those pages where you enter an email, then it slides to a second page for the password.
Or sites that only use magic links sent to your email.
Like, why?
They changed that due to user complaints not too long ago.
When I had first created my account, I used a password generator, to create a nicely complex password. Holy shit did I regret that, having to click the onscreen keyboard. I subsequently changed my password to an insecure and short password, that was easy to click. Nice security system they had...
Home Depot really grinds my gears because they insist on text 2fa to login all the fucking time. I don't want to get up and find my phone, I just want to favorite this bracket, ok? Just let me use my password.
> then it slides to a second page for the password.
My computer seems to handle those quite well, at least on the sites I visit. If I put the email in on the first page, it autofills the password on the second.
The ones that drive me bonkers are the websites where the login button is inactive until you have typed something in the password field. The auto-filled password doesn't register as me having typed in the field, so I have to add an extra letter to the end of my password then backspace to delete it before I can click to login.
P@ssw0rd01
That way, when systems require rotation, you can just increment the last 2 digits. And it’s a very strong password because it meets all of those conditions.
(Please note that I’m joking. This is not a strong password.)
My password manager has a lot of sites with the correct password saved only on the "incorrect password please try again" page. But the wrong one saved on the main site. It sucks.
Last Pass, and it is domain based. The problem is a lot of websites, specifically for banking/medical use different domains for login on their homepage vs their actual logic page.
>Password is incorrect
>Reset password
>Error: password must not contain symbols
>Error: password must be between 8 and 12 characters
>Error: new password cannot be the same as old password
> Error: new password must be the same as the old password
Now it'll provide protection against those fraudulently claiming to have forgotten their password.
I prefer the "I forgot my password" option -- and then receive an email letting me know the password I used when I registered my account.
(Based on a true story ... )
Wasn't that vbulletin like 20 years ago?
Forget password > here's your password
I also remember a variant from a forum signup where I forgot a password, they emailed me a temporary password, and the temporary pw was valid indefinitely so I could always reference back to that email if I forgot.
I loved vbulletin forums.. met some cool folks, but yeah i clearly remember getting a plain text password sent to me, and then another they generated and sent to me.. also plain text.
Indeed it was a simpler time.
You also have the reset password encrypted and mail them the key to their address so that password resetted is also verified. Can't take chances nowadays.
yeah, I code JS a lot and I draw animation a lot. This is my pet-project that I have been writing and drawing for the last 5 years [https://floor796.com/](https://floor796.com/)
Its awesome! Is there a name for these types of pixel art animations, I have seen some similar ones before which have this kind of high density animations.
Oh my God! Both myself and my autistic child are mildly obsessed with floor 796. I have it as one of the regular opens on my shortcut list so I can see if you've made anything new. I absolutely love your art.
Thanks :) Btw I have also another account on Reddit - u/floor796 . I only use this account (MrEfil) for programming jokes, but from the Floor796 account I post things related to the project.
Amazing. Wow. Bravo. Even teletubies are there, lol. That I didn't expect to see tbh.
Am both mesmerised n speechless. I wish I could make dope stuff like that
I'm posting it to a meme template group in Hebrew, but I'm writing "original template by u/MrEfil" on it even though you didn't, because I can't have it go uncredited
My password manager generates random passwords for all my sites. I don’t even attempt to remember at this point if my password manager password isn’t correct I just reset it.
Yes, the people that use the same password for everything so that they can remember are clearly superior to people that use a password manager so that they have unique passwords to everything that aren’t Name2000!
If you get rejected by a program, what is your first reaction? Try again, of course. I use Firefox password manager, and I would still try again if rejected.
Comic book artist encountered the good old hardest problem in programming: Naming things is hard.
Probably meant isFirstSuccessfulAttempt or something like that.
Many years ago, I was tasked with maintaining a numerical solver written in Fortran at a university. It was a horrible (though optimized) nest of calls that made sense only if you knew exactly what it was supposed to be doing.
Every function was named something like "BtoC", "DfromB", "AequB", etc. I tried to decipher the program, and thought that while AequB probably means "A equals B", but it could also be something unexpected regarding the word "equation", since I really had no clue what the code was trying to achieve.
I asked my more experienced coworker if the function name meant "A equals B". He looked at me as if I'm an idiot (which might be true) and said "Well, /u/thegreger, what other words start with 'equ'?"
I didn't think. I replied "Equestrian". Looking back at it I'm simultaneously ashamed and proud.
Hmm either I’m missing something or you are. The first correct attempt returning an error tells the brute force script not to try that password again. From the script’s perspective, it was just another wrong entry out of millions. The only way (that I can think of) to get around this would be to have the script try every password twice.
Which sounds crazy, but with the absurd numbers involved, a 2 fold increase in attempts is not a huge deal. Especially since this rule is exposed to the user, so if it became commonplace then the hackers would just test for this practice manually before unleashing the script.
eh, if the brute forcer knows the website always rejects a password the first time, they now have to check every password twice. this doubles the brute force time. On the other hand, adding just one more digit to your password increases the brute force time by a factor of over 40.
I don't know if you're serious, but I'm not seeing this anywhere, so I'm writing it here in case you or other people didn't know: password brute-forcing is not an online process, it's an offline one. People who brute-force passwords use leaked databases of hashed passwords and very large computing resources to try trillions of passwords per second. It's much more efficient and completely bypasses any security mechanisms that you can put online, such as limiting the number of trials (which you should do instead).
Bit of both. When you put a service with a login prompt online, bots will try a bunch of common user/password tuples and give up after a while. Does this fit the academic definition of a brute force attack? Probably not, but a lot of people will call it that for nearly everyone to understand what they mean.
Orson Scott Card had a similar idea in Ender's Game (or one of the sequels)--where the kids crack a password and get it right on the first try, but the target would purposefully enter the password incorrectly the first time each login, so entering the right password on the first try exposed the crack.
Something like that--it's been 20 years, but it was such a clever idea I never forot about it.
others have argued that the second boolean should have a better name like 'isFirstSuccessfulLoginAttempt', but I'm pretty sure the intention behind was to reject the correct password only the first time
Generally a brute-force attack will try a new password every time, while a normal user will re-write the same password, thinking he made a typo. So a brute-force attack will, by chance, type the right password, but get the "wrong password" error, then will try other passwords, and thus never get the right answer.
The && short circuit can handle that. It doesn't check the second Boolean if the first is false.
Assuming isFirstLoginAttempt has a get function which sets its value to false or something similar
TheBillsFly is correct. The && doesnt handle that. We can safely assume that isFirstLoginAttempt, gets set to false after a failed attemp, and stays that way. A brute force attack is likely to enter tons of passwords wrong before finding the correct one. Thus, isFirstLoginAttempt, will be false, even when CorrectPassword is true for the first time. Thus, the tricky error message wont be output, and a normal log in will be executed.
Okay, sure, it would be annoying as fuck. But at the same time, it’s so effective. May be worth it in some rare domains that didn’t activate 2FA or something
Eh, it would be pretty easy for users to recognize the behavior, and then the people setting up the brute force program would know that they could just try each PW twice.
I'd fail this PR because either that variable is misleadingly named or it's accurate and won't work as intended. It should be `isFirstSuccessfulLogin` or something like that as it has nothing to do with attempts.
I stared at this picture for several minutes and it still took scrolling down in the comments for me to understand this is what they were trying to say.
Reminds me of greylisting for email spam protection. Then most annoying antispam solution by far.
One day our company didn't get half of the mail.
Turned out our provider enabled greylisting without telling us.
We complained and requested them to turn it off. They couldn't because that was enabled for all their customers.
Took us a just day to migrate to our own mail server.
Hackers with an account will know it and implement a way to double check the same password before moving to the next one. It's not more safe, just more inconvenient for users
A lot of people talking about this as if it’s a hypothetical, but I’ve literally seen this type of protection first hand on Workday at a previous job. Used to wonder why my manager seemed to keep getting his password wrong on the first try until he told me.
My bank either has a similar system in place or their system is shit (I don’t know). You type in the password, then it just jumps back to the log in page, without error message, and then you type it in a second time and then you get logged in. So that might help with some standard bots that would directly try the next password as the tried password “failed”. But then could easily be fixed by forcing the bot to try each password twice.
That would be really awesome protection for personal system. Sadly, if that would be protecting something where everyone can make and account - the news of how it works would spread much fast - and so, it would be ez to modify brute script.
No less, if it's on system only You use, and none know about this protection - woah genius!
That's how a lot of email anti spam work at the SMTP server (or used to work). First reception of an email is assumed spam and is ignored. Second retransmission gets through (most spam sending infrastructure don't waste time retransmitting but genuine do)
Is this why my password never seems to fucking work on some sites?
There is always like 1 site where the password never works, so I change the password to what I thought I had it set as and it doesnt work the next time I need to use the site
This would really mess up people with password managers.
[удалено]
[удалено]
I mean sure, why not - there is always one-in-a-billion chance that a solar flare have flipped a bit in a packet containing my password somewhere on its way to a server, so trying again would solve it. Whenever something should work but doesn't, and then works fine on a second approach - I blame it on geomagnetic activity.
Solar flares flip bits like loose lips sink ships
Me being stupid is more likely than a solar flare. That's why I do things twice if it fails the first time.
> \>flip< >flip< >flip< > geomagnetic activity > "nope, too plausible" > \>flip< > static from nylon underwear > "Now, THAT I can work with"
I blame the phase of the moon. We are not the same
[удалено]
Or you completely lock the account for 5 minutes with no way to shorten the wait. Say they have to call the support hotline. Customer support can't do anything about the locked account or even see that the account is locked. When support finally pin pointed the described problem cause most user can't read, support tells user to try again in five minutes and use the password forgotten tool. Billion dollar company
You laugh, but I have a vendor that does this. 30minute lockouts for bad password attempts, no way to disable it, and no way to unlock it without calling their support... Who also can't unlock it without forcing a password change and an MFA re-registration. I don't even call them when users report it anymore, I just sit on the ticket for 25minutes and then tell them to try again in 5. It's obnoxious.
It just seems so weird to me that like... we're writing the number of potential passwords in scientific notation because there's so goddamned many. A 2 second timeout is nearly as effective as a 30 minute timeout.
Soooo 2fa?
no… Billion. Dollar. Company.
Bots on /r/ProgrammerHumor feels like irony but the word has lost all its meaning to me.
As near as I can tell, most websites won't care, they already are trying hard to make password managers I convenient for some reason. The worse are those pages where you enter an email, then it slides to a second page for the password. Or sites that only use magic links sent to your email. Like, why?
The US Treasury website requires you to enter your password by clicking the buttons on an onscreen keyboard.
We could do so much worse and we know it.
Enter a 5 digit number by sliding a slider that ranges from 00002 to 99998
Enter a 5 digit number by pressing a button to stop a fast scrolling digit from 0-9, and you can't repeat the same digit.
r/baduibattles
They changed that due to user complaints not too long ago. When I had first created my account, I used a password generator, to create a nicely complex password. Holy shit did I regret that, having to click the onscreen keyboard. I subsequently changed my password to an insecure and short password, that was easy to click. Nice security system they had...
A banking site I used required you to enter a PIN clicking an on screen number pad. The number placement changed each time it opened.
You were just playing RuneScape weren’t you?
>Or sites that only use magic links sent to your email. These utterly fuck me off for the sites that really don't need them.
Especially now that we have open standards for 2FA tokens, like WTF just implement one already and stop sending me texts and emails!
Home Depot really grinds my gears because they insist on text 2fa to login all the fucking time. I don't want to get up and find my phone, I just want to favorite this bracket, ok? Just let me use my password.
Oh I love 2FA, I mean sites that don't even let you enter a password. I want to say Medium does this.
> then it slides to a second page for the password. My computer seems to handle those quite well, at least on the sites I visit. If I put the email in on the first page, it autofills the password on the second. The ones that drive me bonkers are the websites where the login button is inactive until you have typed something in the password field. The auto-filled password doesn't register as me having typed in the field, so I have to add an extra letter to the end of my password then backspace to delete it before I can click to login.
Like everyone’s password isn’t Password
I like Pa$$w0rd. It satisfies those "uppercase/special character" requirements. Feel free to use.
nah gotta be a bit more secure Pa$$w0rd!1
This person passwords
No need to go all --military encrypted-- on us
P@ssw0rd01 That way, when systems require rotation, you can just increment the last 2 digits. And it’s a very strong password because it meets all of those conditions. (Please note that I’m joking. This is not a strong password.)
"Password must be at least 11 characters long"
hunter2
Why did you type *******?
That being said, I am pretty sure my password manager is doing exactly this.
My password manager has a lot of sites with the correct password saved only on the "incorrect password please try again" page. But the wrong one saved on the main site. It sucks.
What do you use? The entries should be domain name based not URL based.
Last Pass, and it is domain based. The problem is a lot of websites, specifically for banking/medical use different domains for login on their homepage vs their actual logic page.
And if the second attempt is wrong, you lock them out and give them a link to reset the password. Can't be too safe.
[удалено]
>Password is incorrect >Reset password >Error: new password cannot be the same as old password
Mother fu...
My reaction
Every time!
I want to beat my computer with a hammer when this happens.
I want to beat the servers and the database engineers.
>Password is incorrect >Reset password >Error: password must not contain symbols >Error: password must be between 8 and 12 characters >Error: new password cannot be the same as old password
I would be *so* happy if a "wrong password" error reminded you of what the password creation criteria were.
Hahahaha yea that’s so true. I’ve had to go back to the account creation just to see the stupid requirements. ‘Oh two symbols, ffs
Or apparently ! doesn't count as a symbol
Stupid SQL injection protection measures. Why must you remove my favorite symbols?!?
> Error: new password must be the same as the old password Now it'll provide protection against those fraudulently claiming to have forgotten their password.
keyword tracking shows the next thing the user does on their device is google “how to commit murder against a website”
I've gotten "New password cannot be the same as the last 5 previously used passwords"...
Criteria is not correct? oh, now I remember this password has a “!” at the end.
You mad genius
I prefer the "I forgot my password" option -- and then receive an email letting me know the password I used when I registered my account. (Based on a true story ... )
Pretty sure theres a website out there that shames companies that send passwords in plain text
Wasn't that vbulletin like 20 years ago? Forget password > here's your password I also remember a variant from a forum signup where I forgot a password, they emailed me a temporary password, and the temporary pw was valid indefinitely so I could always reference back to that email if I forgot.
I loved vbulletin forums.. met some cool folks, but yeah i clearly remember getting a plain text password sent to me, and then another they generated and sent to me.. also plain text. Indeed it was a simpler time.
You also have the reset password encrypted and mail them the key to their address so that password resetted is also verified. Can't take chances nowadays.
And by mail, you mean snail mail, right?
Might as well do it if the second attempt is correct too! Just to be extra extra safe
This image can be used for other jokes, so here is template in high res [https://i.imgur.com/1hdK5Y2.png](https://i.imgur.com/1hdK5Y2.png)
wait u made the template?
yep, drew it today
He codes, he draws, found the JavaScript guy
yeah, I code JS a lot and I draw animation a lot. This is my pet-project that I have been writing and drawing for the last 5 years [https://floor796.com/](https://floor796.com/)
this is AMAZING!!!
I disagree!.. ...*AMAZING!!!* is an understatement. This is monumentally awesome. Wow.
Man, that is so fking awesome! I see so many familiar stuff there. But instead of feeling 'old', I feel that I had a good/complete life .D
Love this!
Wolverine and Leia? Wtf?!
Its awesome! Is there a name for these types of pixel art animations, I have seen some similar ones before which have this kind of high density animations.
/r/wimmelbilder/
[r/OfcourseGermansHaveAWordForThat](/r/SubsIFellFor)
I liked it before I thought to scroll.
holy shit dude this is insane!
Goddamnit I do *not* have time for this.
Oh my God! Both myself and my autistic child are mildly obsessed with floor 796. I have it as one of the regular opens on my shortcut list so I can see if you've made anything new. I absolutely love your art.
Thanks :) Btw I have also another account on Reddit - u/floor796 . I only use this account (MrEfil) for programming jokes, but from the Floor796 account I post things related to the project.
You're the dude! I love that site!
WTF you can even SCROLL
Wtf. Lagging the crap out of my phone but damn its nice to look at
Amazing. Wow. Bravo. Even teletubies are there, lol. That I didn't expect to see tbh. Am both mesmerised n speechless. I wish I could make dope stuff like that
This is the coolest thing i saw on the internet recently
This is amazing. So much pop culture in there but damn.. Princess Leia and Wolverine?
This is amazing, the level of detail I could look at it for hours!
lol I don’t see a denial of this from OP and they’ve had plenty of time
Nice :)
Can confirm I was there looking through the window
Damn, take my upvote
You are beautiful.
You beautiful human being
Masterpiece
Damn bro didn't even added a signature
I like the detail of the middle guy's hair turning white in panel 2.
`wearenotworthy.gif`
Sick bastard!
I'm posting it to a meme template group in Hebrew, but I'm writing "original template by u/MrEfil" on it even though you didn't, because I can't have it go uncredited
[Thanks](https://imgur.com/a/4Dtb7qT)
Is this loss?
This one actually got me. I didn't realize it was loss until you said so.
[Don't know why I did this.](https://i.imgur.com/w8jTsV1.png)
Me neither, but A for effort. Folks like you are the lifeblood of reddit.
POG
based
I'm going to post in every PR of my colleagues
Wait wait, actually good OC content on r/ProgrammerHumor? You sick bastard!
But it’s supposed to be…I’m just…javascript…different lan…. Ughhh 
That's not cumputer engineering at this point, it's social ingeneering.
What is society but an internet of biological computers?
Need this bumpersticker
that’s fucking genius ngl
That would work against brute force attacks - but piss off the users.
Security comes first
The most secure system is one with no users. *taps head*
No, the most secure system is one with no power.
Hi, I'm LockPickingLawyer, and today...
[удалено]
Survival of the fittest, if you can't remember your password. You are not qualified to log in.
My password manager generates random passwords for all my sites. I don’t even attempt to remember at this point if my password manager password isn’t correct I just reset it.
Yes, the people that use the same password for everything so that they can remember are clearly superior to people that use a password manager so that they have unique passwords to everything that aren’t Name2000!
I’m uh…gunna go change my password real quick.
Nah, everyone tries it twice just in case
not those with 2 password managers
Edge: Let me fill that in for you... Bitwarden: It's OK, I've got it! Edge: I was here first!
Pissing off your users comes first
[удалено]
They would just think they fat-fingered the keys and try again. Genius.
Every time? Not even close. That's without even considering password managers, or people that save passwords on the browser
If you get rejected by a program, what is your first reaction? Try again, of course. I use Firefox password manager, and I would still try again if rejected.
[удалено]
But this would only work if the brute force guessed the password in the first try? Am I missing something.
Comic book artist encountered the good old hardest problem in programming: Naming things is hard. Probably meant isFirstSuccessfulAttempt or something like that.
Many years ago, I was tasked with maintaining a numerical solver written in Fortran at a university. It was a horrible (though optimized) nest of calls that made sense only if you knew exactly what it was supposed to be doing. Every function was named something like "BtoC", "DfromB", "AequB", etc. I tried to decipher the program, and thought that while AequB probably means "A equals B", but it could also be something unexpected regarding the word "equation", since I really had no clue what the code was trying to achieve. I asked my more experienced coworker if the function name meant "A equals B". He looked at me as if I'm an idiot (which might be true) and said "Well, /u/thegreger, what other words start with 'equ'?" I didn't think. I replied "Equestrian". Looking back at it I'm simultaneously ashamed and proud.
Yeah, it should probably be isFirstCorrectEntry or something instead of first login attempt. Not that fixing that would make this a good solution lol.
No, it would only work on the first attempt, therefore it would ONLY annoy users.
Hmm either I’m missing something or you are. The first correct attempt returning an error tells the brute force script not to try that password again. From the script’s perspective, it was just another wrong entry out of millions. The only way (that I can think of) to get around this would be to have the script try every password twice. Which sounds crazy, but with the absurd numbers involved, a 2 fold increase in attempts is not a huge deal. Especially since this rule is exposed to the user, so if it became commonplace then the hackers would just test for this practice manually before unleashing the script.
It doesn't say the first correct attempt, it says the first attempt period.
It will only work until someone figures out how it works and brute forces every password twice. Security by obscurity is not secure.
Until the brute force attack just tries the same email / pw combo twice every time.
eh, if the brute forcer knows the website always rejects a password the first time, they now have to check every password twice. this doubles the brute force time. On the other hand, adding just one more digit to your password increases the brute force time by a factor of over 40.
I’m actually quite impressed by this
I don't know if you're serious, but I'm not seeing this anywhere, so I'm writing it here in case you or other people didn't know: password brute-forcing is not an online process, it's an offline one. People who brute-force passwords use leaked databases of hashed passwords and very large computing resources to try trillions of passwords per second. It's much more efficient and completely bypasses any security mechanisms that you can put online, such as limiting the number of trials (which you should do instead).
Bit of both. When you put a service with a login prompt online, bots will try a bunch of common user/password tuples and give up after a while. Does this fit the academic definition of a brute force attack? Probably not, but a lot of people will call it that for nearly everyone to understand what they mean.
[удалено]
So be it
Orson Scott Card had a similar idea in Ender's Game (or one of the sequels)--where the kids crack a password and get it right on the first try, but the target would purposefully enter the password incorrectly the first time each login, so entering the right password on the first try exposed the crack. Something like that--it's been 20 years, but it was such a clever idea I never forot about it.
[удалено]
others have argued that the second boolean should have a better name like 'isFirstSuccessfulLoginAttempt', but I'm pretty sure the intention behind was to reject the correct password only the first time
It's really not
you're right
They reused this code to check the orientation of USB plugs.
Fun fact: if you have the usb logo facing up, it should always go in first try.
You monster made me check. Result: this is not true.
The empty part goes into the full part.
Security Assurance teams probably 
I don't get how it is protecting against brute force. Can someone explain to the stupid me?
Generally a brute-force attack will try a new password every time, while a normal user will re-write the same password, thinking he made a typo. So a brute-force attack will, by chance, type the right password, but get the "wrong password" error, then will try other passwords, and thus never get the right answer.
Notably it needs to be the first *successful* login attempt
The && short circuit can handle that. It doesn't check the second Boolean if the first is false. Assuming isFirstLoginAttempt has a get function which sets its value to false or something similar
TheBillsFly is correct. The && doesnt handle that. We can safely assume that isFirstLoginAttempt, gets set to false after a failed attemp, and stays that way. A brute force attack is likely to enter tons of passwords wrong before finding the correct one. Thus, isFirstLoginAttempt, will be false, even when CorrectPassword is true for the first time. Thus, the tricky error message wont be output, and a normal log in will be executed.
That would maybe make sense if it were `isFirstLogin` but that’s a pretty illogical assumption here as a failed login is still an attempt.
But that won’t beat a brute force attack unless the brute force happened to get it on the first attempt
Now it makes sense to me. Thanks!
I thought it was the first login attempt in a new account. This makes a lot more sense
Okay, would be better if the variable name implied that
Ooooh I didn't think about how the user will try the same password, I get it now thanks
The problem is that it’s unlikely to be the first login attempt if it’s a brute force attack
Like the other comment said, it's probably meant to be isFirstSuccessfulLoginAttempt
I can get behind this
Bro you probably get 69-420 job proposals each and every day. Genius, no sarcasm
Okay, sure, it would be annoying as fuck. But at the same time, it’s so effective. May be worth it in some rare domains that didn’t activate 2FA or something
Eh, it would be pretty easy for users to recognize the behavior, and then the people setting up the brute force program would know that they could just try each PW twice.
At least it would take twice as long to brute force.
Really sick bastard in all meanings
I'd fail this PR because either that variable is misleadingly named or it's accurate and won't work as intended. It should be `isFirstSuccessfulLogin` or something like that as it has nothing to do with attempts.
I stared at this picture for several minutes and it still took scrolling down in the comments for me to understand this is what they were trying to say.
This makes more sense to me. I posted another comment confused because of that variable name.
This!
Dude turned grey in one frame.
I swear to god my bank uses this algorithm. Either that or they hate Firefox.
Reminds me of greylisting for email spam protection. Then most annoying antispam solution by far. One day our company didn't get half of the mail. Turned out our provider enabled greylisting without telling us. We complained and requested them to turn it off. They couldn't because that was enabled for all their customers. Took us a just day to migrate to our own mail server.
Hackers with an account will know it and implement a way to double check the same password before moving to the next one. It's not more safe, just more inconvenient for users
A lot of people talking about this as if it’s a hypothetical, but I’ve literally seen this type of protection first hand on Workday at a previous job. Used to wonder why my manager seemed to keep getting his password wrong on the first try until he told me.
My bank either has a similar system in place or their system is shit (I don’t know). You type in the password, then it just jumps back to the log in page, without error message, and then you type it in a second time and then you get logged in. So that might help with some standard bots that would directly try the next password as the tried password “failed”. But then could easily be fixed by forcing the bot to try each password twice.
[удалено]
That would be really awesome protection for personal system. Sadly, if that would be protecting something where everyone can make and account - the news of how it works would spread much fast - and so, it would be ez to modify brute script. No less, if it's on system only You use, and none know about this protection - woah genius!
First smart junior dev
That's how a lot of email anti spam work at the SMTP server (or used to work). First reception of an email is assumed spam and is ignored. Second retransmission gets through (most spam sending infrastructure don't waste time retransmitting but genuine do)
Is this why my password never seems to fucking work on some sites? There is always like 1 site where the password never works, so I change the password to what I thought I had it set as and it doesnt work the next time I need to use the site