Skip to main content

Brute force protection

@Memes

@Memes

Anders Rytter Hansen reshared this.

in reply to Anders Rytter Hansen

pearsaltchocolatebar
pearsaltchocolatebar
It's not quite complete without code on the password reset page to tell you that you can't reuse your password.
in reply to Anders Rytter Hansen

kandoh
kandoh
That's actually pretty smart
in reply to kandoh

Anders Rytter Hansen
Anders Rytter Hansen
@kandoh
Yes haha. This way we can get back to the times where 4 characters passwords were sufficient 😃
@kandoh
in reply to Anders Rytter Hansen

pythonoob
pythonoob

Fine I'll just change my password to what I thought it should be.

*New password cannot match old password

in reply to Anders Rytter Hansen

gibmiser
gibmiser

As a non programmer, is the joke that humans will retype their password assuming that they made a typo?

If so, sick indeed.

in reply to Anders Rytter Hansen

normalexit
normalexit

This is a really interesting idea, but a password manager would throw a wrench in it.

I'd assume my password was invalidated or stored incorrectly, so I'd reset, then I'd try to log in, wtf... this website blows.

in reply to Anders Rytter Hansen

finkrat
finkrat
Won't protect against an offline attack (just will confuse the hell out of the hacker) but might confound an online attack? Until someone gets wise and runs the tool a second time. Loving the chaotic neutral vibes here.
This entry was edited (1 month ago)
in reply to Anders Rytter Hansen

Matriks404
Matriks404
Well, I sometimes input the same password 15-times in a row, and it works only on the last try. ¯⁠\⁠⁠(⁠ツ⁠)⁠⁠/⁠¯
This entry was edited (1 month ago)
in reply to Anders Rytter Hansen

TORFdot0
TORFdot0
If they had the password right the first try, that isn't a brute force attack, thats a credential leak.
in reply to Anders Rytter Hansen

Pacmanlives
Pacmanlives
I remember in college editing OpenSSH source code to instead of return wrong password to a root shell prompt just to stop brute force attacks
in reply to Anders Rytter Hansen

Pacmanlives
Pacmanlives
Oh all of my configs are deny root ssh login or without-password. I noticed a significant decrease in scans when returning a root prompt when I did that. This was also in the mid 2000s so who knows how things would be in this day in age for a reduction in scans
in reply to Pacmanlives

Anders Rytter Hansen
Anders Rytter Hansen
@Pacmanlives
So it was a fake root prompt which tricked the bots into believing that they logged in successfully but in reality the prompt could do nothing on the system?
@Pacmanlives
⇧