Brute force protection
took me a solid 30 seconds of re-reading to get the joke
I swear this is what some websites do
Cell phone lock screens too.
Also USB cords
And women
It’s true. I get my password wrong all the time.
Add a randomizer with 50/50 succeeding for this error
Fine I’ll just change my password to what I thought it should be.
*New password cannot match old password
Well, I sometimes input the same password 15-times in a row, and it works only on the last try. ¯\_(ツ)_/¯
if isFirst14Attempts
This could actually work though lol, it’s genius
Find a good password here 😏
I suspect if the cracking code was constructed such that it had more weight on trying combinations of common words then this would be much easier to crack
I would naively think that as well - you would expand your alphabet of “symbols” to include both single letters and numbers and punctuation but also common words as well. It is still a lot of combinations to have to try though, even if less than each letter by itself.
Rainbow tables and presumably newer stuff I haven’t heard of make this sort of thing weaker than it used to be
Dictionary attacks have been around for a long time, but It’s still quite strong especially if you throw in a number.
A fully random 8 character password has about 10^14 brute force combinations (assuming upper and lower case + the normal special characters). 4 words choosen at random from the top 3000 words (which is a very small vocabulary really) is 10^13 dictionary attack combinations, add a single number or account for variations in word style (I.e maybe don’t always use camel case) and you’ve matched the difficulty. If you use 5 words it’s 10^17 combinations.
A password manager and a hard password is a better idea but there are cases where you can’t use a password manager (like the password to said manager).
I’m a basic little shit so, I basically use a correct horse + number password for my PW manager
I use a whole sentence with a typo lol
Something like "On March the 3rd of 2012 my dog Billy ate 8€ worrth of schmeggles!“
Used beginning letters of the words in song verse sprinkled with special characters for the rythm, feels good while typing
I do a passphrase like the comic followed by 56 characters of gibberish using an https://onlykey.io/ (acts as a USB keyboard) that has a 10 digit pin (6 characters to choose from) and a kill switch pin (if I were ever forced to unlock it). I use this method for my disk encryption, main account login, and password manager.
I also use a https://www.themooltipass.com/ for vendor diversity (4 digit pin but all hex characters). I prefer the onlykey.
I rotate the gibberish monthly and the passphrase 2-3 times a year.
Once a year I change up the pin codes.
I figure that gives me enough entropy from brute force on all my systems with a balanced level of convienence and security. I literally don’t know a single one of my passwords.
How does a rainbow table help here? They’re more for decoding unsalted encrypted database tables, rather than for actually trying to login.
Salting makes rainbow tables pretty much useless, and salting has been a standard practise for a few decades now.
A few? I always had an easy time cracking my mom’s desktop password with them so I guess Microsoft wasn’t doing it with XP or Vista.
You do realize XP and Vista are few decades old?
No I’m a few decades old.
Just to give you some opposite example, WordPress, Magento, Drupal, Django are using salts almost 2 decades now.
Yeah I thought about adding a note that it’s pretty outdated - and dictionary based scans were always possible even if less common in the old days - like those infamous passwords “God”, “Love”, “secret”, or like “admin”.
The artist is pretty smart most of the time though so I presume they were aware of that possibility and meant that on a more basic level there are multiple ways to make passwords easier for a user to remember, not necessarily just this one rather simplistic take but as part of a whole approach. Then again, they didn’t say that, and instead said this, thus the controversy.
Personally I gave up entirely and now I don’t even know what any of my own passwords are, though my password manager does:-). I guess… if you cannot beat them, join them!?:-P
It’s not outdated at all, but you need more words.
See diceware, 7 to 8 words is typically all you need
My current favorite “memorizable” method (obviously a random hash from a PW manager is still better) is to take a sentence of moderate complexity that includes the name of the service you’re signing up for in it, and use the first letter of each word as your password.
For example, “When I wake up in the morning, the first thing I do is go to pawb.social.”
Password would be “WIwuitm,tftIdigtps.”
Easy to remember, immune to dictionary attacks, and you get a (mostly) unique password for each service, so stolen passwords can only access that one thing.
Edit: To be clear, the value is that you can use the same sentence everywhere, switching out the name of the service to generate semi-unique passwords for each service. Obviously someone analyzing your passwords would be able to figure out the pattern, but that’s basically never what actually happens; it’s more likely someone gets 1 password and tries your email address + that PW in a variety of services, which this is strong against.
This seems like a memory method for someone who has a great memory. (Better than mine anyway)
It’s surprisingly easy to memorize. The sentence basically acts as a mnemonic device to remember the password, and it’s a lot easier to memorize a sentence that makes sense to you than to memorize something like “Tr0ub4d0r&8”.
I just see myself changing the words around honestly. It’s not like i think it’s a bad idea just dunno if i can pull it off
I simply change my keyboard layout. Auto-scramble a simple phrase.
I dunno, all I do is hit copy, then go to the website and hit paste, and that’s pretty easy as well:-P.
I do need to step up my game for work though, b/c it keeps asking me a password multiple times a day so if I could rattle one off that would be better than having to open up my password manager and get it.
I have a strict, “do I give a fuck” policy when it comes to security.
I keep the harder to crack passwords for critical things like banking, etc… since there’s only a few I can remember them. I also always use MFA.
For all the other shit that I don’t give a fuck if it’s hacked it’s the good old *Banana$1234" type password that I reuse for decades and save to firefox’s password manager.
The rainbow table would have to include every four word combination. At around half a million words in the English dictionary, that’s not a small number.
As another XKCD comic illustrates, it’s cheaper to use a wrench.
Example of what My passwords are like :
%*7EfOLkN@6AP28!8Dl#
or potentially if allowed :
W@c2wYnN9J3xGcyc47#ZkHJvt&Hm%q&Ad0b&Xwz#jnl4Th%6UBexD16a$YBFc@svnVrCBxXP0EpwLp6%Gk*Lom%@Qq#DjY1zsf0CzIrHHqPc8gt4edDVsg!omj*kIsIJ
Good luck guessing my shit.deleted by creator
You fool, you utter buffoon -
This is what a strong enough password looks like
Here is an alternative Piped link(s):
https://piped.video/Udf44K6rt-E?si=NarzUUr0YLNEhtxi
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Try this on for size :
`'�d+�t<�5mF�qrqcmv/�F��~��Yv�Om�/lK�RɏY%ɺP1�h�Ryl-�G/��m�ʰ�+^)��<>�itdkaz�q2HA*1�PK�D@{9�vN.<}�~ٕ�_�26IA/cHIn����1ĈҾܒl�I9$�vA��W¸ȶW"z�}θ�x�,>~�Ux�SJZ\�5ÀI��F}nLZT�;KӚq�&NQo32y7���0"^LÎs>��j!��V��k��2O<2W�ƽYcA#8�J�Of�pهZb�%1g�w�!k*h(ʶ73�@�CC�hUsԺe!_��dR�ٞpvG|.=4{v"&.��m=_�͚DZZף�aaZ��Cq�!sG1T3�=2lb,����^�镰n)Ld]��Ϯ#ENHANCE
`̴̢͚̳͕̹̻͕͎̍̓̐̍͜’̷̤̖̖̝̱͍̲̲̙̥̮̐̊̎́̄̎̅̔̾̈̑̈́͌́̀̅͘͘͘͝�̸̢͍̥͍̪̭͍̥̈̏̄̒̓͆͐̿̈̐̇́̑̎̆̽̉͗̾͝͝ḏ̸̛̛̛̣̾̇͂̆̒̍̌̈́̑̀͗̄̃̈̋͆́͝͝+̸̢̢̢̨̛̛̠̫͖̲̙̱̝̖̙̮͎̭̥͔̈́̈́̏̇͋̉͝�̸͕̠̞̭̺̘͓͕̞̥͔̫̖͙͗̆̀̑̏ţ̵̢̛̜͕̪̠̱̪̰̼̣̘̹̠͎͚͈̯̣̭͗̊͒̓̆̈́̑͂͌̈̒̂͘͜͝<̵̧̨͓͕̯͍̠͇̦̤̼̻̩͖͈̪͒̈́́́̊̍̒̈̉̉͒̓̀͝�̵̛̪̳̱̘̾̀̀̏5̶̡̛̛̻̝͖̱̗͇̝̹̱͚̟̳́̋̊̾̏̉̔͌̀́͛͘̚͝͠͠m̶̬̣̜̥̝̖͌͛̿̇̑̎̓̍̈́͑́̾͌́͌͝F̷̧̡̤̭̟̹̰̭͖̲̙͇̤͓̓͋͂̈́͛̄̓̌̓́͛̑͛́�̶̢̢͔̞̬̰̞̹̝͇͕̰͕͓͎̐͌̊̎̚̚͝q̴̢̙̭̠̮̜̳̜̜̰̭̬̘̮́̋̉r̵̢̡̗͍̮̳̼̪̟̙̙̫̯̟̝̙͆̈͆̊͂̓̆̾̓̎͋q̴̡̡̛̣͚̯̝͈͙̣̙̣̻̺̹̼̈́͝͝c̷͎͙̤̭̬͉̲̼̼̦̯̾̒͆̾́̑̿̿̎̅͛͛̽͐̓͐̈̐̑̕͝ͅͅm̶̡̻͈͍̊̏͌̈́̉̓͐̅͑̐̅v̵̢̧̢̧̛͚̘̞̩̜͙̟̼̳̖͚̟̖̯̬̬̲̎̈́̊̈́͗́͂́̉͆̇̌͛̏̌̓̐̃́̀͘/̴̣͈̈́́̓̀̒̊͑͘͠�̵̧͈͈̤͔͕͙̼̬͈̰͍̲͍̓̈́͂̂̓͐̀͆͜͜F̵̨̤̦̯̯̞̖̖̾̑̍̀̏̽̽̏̓̔͛̾̕͘͠�̸̛̙̔̅̐̇̄͆̎�̵̴̡̨̡̛̛̛̲͓̟͉̩̝̫̹̬̜͍̲͓̰͇͚̫͉̂͂͛̋̔̽̓̏͗̐̍͂͛̃͝�̸̡̝̻̞͕͚̝̖̘̙̳̳̲͔͕͉̳̙̞͂̀̽͛͊̈̃̐̾́̏̂̏̔̚̕̚̚̚�̴͉̲͖̈́̇͒̿̄̽͛̈́͛̚͝Ȳ̴͍̎̋̒͒ṿ̵̛͓̎̋͂̔͊́̎̿͛̽̍̊͋̂̚̚̕͝͠͝͝�̵̢̨̙̪̥͙͉̥̔̈͋͋͒͆̈́̔̂̉ͅͅǪ̶̙͚̺̩̃̊̌̽̽̌͠͝m̵̨͈̹̬̑̅̂̆̍̋̾�̵̹͍͉̰̺̝͎̲̳͑͌̀͘͠/̶̨̢̰̳͈̬̙̫̫̺̹͓̰͓̞̠̆̈́̀͗̒̆̋͗̀̇̐̎̓͐̇̀͛ͅl̷̨̢̛̜̥͚̰͖̬̝̫̭̜̦̠̤̣̎͊̿̽̎̓͗́̋̍̚͜K̸̞̫͕͇͍̰͖̮̞̭̏̉͋ͅ�̸̗̤̥̘̫̮͍͉͔̪̫͕̞̳͎͍̰̦̅͜͜ͅR̶̻̣̮͌͋̂̍ɏ̶̢̩̩͔̼͔̖͌̍͒̐̀̔̀̈̐̈́̽̈́̃̈́̅͋̓͑̕͠Ÿ̸̧̧̨̥̺͖͉̼̦̭͔̼͇̪̺́́͐̒̑̇̂͗̆͒̀̈́̀̓͜͠%̵̡̨̺̱͈̘̺͚̞̩̯͓̯̜̜͙̰͚̯̽͗͊͌͋͌̎͒̏̋̉̓̄̚ͅͅɺ̵͎̼̊͆̅͐̐͒̊̈́̏̐̀͆̄̋P̴̧̯̫̩̪̭͓̠̙͇̳̭̌͜1̴̹̝̠͋̈́̾͒͐͌͛́̇̓͘͝�̶̼̪͐̂͐̈́́͌̽̓h̶̦̲̹͍͖͚͇͔̺́̅͑͒͜�̴̮̃̔͊̓̌͌̿̅̾̌̉́̍͑͠R̴̢̧̠̩͖͎̘̝̰̳͓̹̱̦͔̫̥̭͉̣̦̥̈́̃͋̈͘̕y̷̡̗̱̤͕͈̰̻̥͙̹̲̱̙͌́̍͑́̓̓͒́̐̈̉̎͜͜ļ̵̡̫͔̳͇̤̹͇̹̝̱̠̰̯͇̰͖̾̓̋̊͊͘͜͜͝-̷͚͓̤̳͕̼̈́͂̌͂̊̈́͛́͌̃̎̒͛̾̑̈́͘̚̚�̴̛̩̝̦͎͙̦͖̜̺́̀͒̀̉̈́̐̔͘̚͠Ĝ̶̖͙̯̞̖̲̣͆̌̆̏̈́̐͆̄́͋̾̽̂͠/̴̢̨̨̳̤̜̖̞̺̥̲̯̻̼͇̰̭̀̔̾́̽̒̍̊̑̈̓̈́͒̿͆̋͝͠ͅ�̶̤̼̗̼̩͎͋̓̄̎͌͛͆̓̎͐̔̚͝͝�̸̞̗̟̹̀̈́̆̀̆̽̇̀͒̽́̍͘m̴͓͈̞͔̦̣̯̽̋̌̃͗̆̓̇͒͑̐́͂̈́̀̚͘͝�̸̡̧̨̢̧̠͍̲̩͓͓̼̟̙͕͍̘̪̯̣̀̒͛̈́͊̋̔̓́͌̓͜͝ʰ̵̛̘̳̣̭͈̣͎̲̠̘̞̭̦͔͍͉̟̄͒̐̈́͋�̵̢̮̖̮̭̣͖̙̟͍̫̱̤̮̋ͅ+̷̡̬̣̲̬̺͓̱͔̗̦̀̑̒̒̓̉͋͌͑̉̊͘͜͜͝ͅ^̵̢̬̥̫͖̟̖͇̜̺̙͔̹͙͇̦͓̺̮͖̄͒̒̐)̷̧̳͉͔̜̥̪͚̩̋̂̊�̷͕͔̺͎̼̫̮̟̫̤̣̰̗̖̩́̋̊̋̿̀̐̑̇ͅͅ�̸̠͓̩̤̊̍͂̊̀̏̋̾̉͒̇͑͑͝͠͝<̴̢̹̗͓͍̣̺̩̟̗̪͗́̂̆̋͌͗̏̐̑̕>̴̝̓͌�̷̡̧͉̙̪̝͚̪͇͖̗̜͓̬̙͕̙̞͚̎̄į̸͓͈̪͈̹̻̠̩̳̱̝̮̘̻̗̀͠ͅt̸̮̱̱̗̞̤̦̦͈̤͚̝̞͖̝̉̆̃̇͌̋͒̉͂́̓́͐̿̚̚̚͝͠͠ͅḑ̴̨̜̪͍̪̝͗̿̌̓͆k̸̨̡̡̮̗̯͈̠̥̗̰̦̪̤̹̟͕̼̜̹̑̑̽̀̈́̔͆͘͜͠ͅa̵̢̛̰̜̤̘͍̳̞̬̟̯̳̖͙̠̬̠̦̟͑̊̇̄̈́͐̆̀͐͒̚z̸̡̢͎̖̯̼̗̼̼͎͙̟̱͖͎͊͜͜�̴̢̮̞͍̓̓̀̇͐͂̅̈̀̏͛q̶̥̖͂̾͂̿̈́̏̈́̉̓̈́̑́̉̉͘͝2̴̡̛͍̬̙̲̫͓̪̪̬̪̹͇̖̞̹̬̼͓̾̔̀͋̋̉̀͆̊̇͘͘̚͘͜ͅͅH̸̟̹́͋̿̈̄̒͋̑̄̂̋̌͐͒̑͛̚̕̚͘Ä̸̛̱͈̦̼̭̞̯́̄̇̈̿͛̈́*̸̡̛͈͇̼̣̰̼͉̤̱̝͙̺̤͎̙͚̈͜1̷̨̡̖̬̤͇͓͙̖͓̬͓̟̰̻̌̓̈́͆͗̄͝�̶̡̢̛̭͚̠̻̤͍̥͔͆́͛̍̀̇́̀̑̚͝P̴̨̡̟͕̗̗̞̈́̿͋̉͂̈́̊͝͠͝K̸̢̧̪̘͚͖̗̐̒̿͜͝�̶̡̛̟̓̾̃̄̋̈́̑̓͠Ḋ̴̦̍͌̊̌̌̉͊̂̇́̿̆̓͐̓̊͝͠@̸̧͎͍͍̮̞̯̘͔̿̆̇̓̈́̋̿̃̽̇̒͗̚̕͝͝ͅ{̵̦̱̺͇͖̦͙̼̖̑̃̌͊͆̑̎̎͌́͝͝9̷̝̰͇̩͓͎͚̯͔̞̳̈́�̵̨̼̝̰̱͇̯̼̖̤̦̜̯̪̀̈̉̚v̷̮͉͙̘̬̟̌̓͐̀̓̀̈́̚N̸̛̞̣̟̭̒̈̌͛͗̉̏͊̃.̵̡̧̻̼͍̭̤̣͉̩̦͕̻̓̎̽͛͆̊͐̔̓͒̃̆̊̀̿̓̀̚<̴̣̠̤͉̩̠̹͉͍̾̈́́͊̍͘̚͝}̵̡̨̡̡̨̛̤̱͇̠̫͇͗̈̈́͒̆͆̀͋͋̾̓̈̃͌̇̈́̕͜ͅ�̶̵̸̢̡̧͔̦̳͕̜̘̗̤͍̞̙̮̪͔̦̪̬͔̝ٕ̹̟̘͉͔̯̝̹͋͋̌̃̂͆͋̈́̾̎̏̏͊̈́̈́̿͊͛͒̈́̐͑̿͗̓́̎͊̐̽͛̾̒̕̕̕͝͝͝ͅ�̸̨͓̠̐̽̽̓̋͂̒͑̎̕͜͜͝_̷̧̤̤͉͈͖̯̬͑͛̎͐̎͊̆͛͌̒̎̆̍̋͝͝ͅ�̷̢̇̍̀̾̓̊̇̈́̾͑͛̅̚̚̕͜2̵̡̢͍̞̲̳̠͕̳͖̹̣̱̞͕̄͑̾̇̐̌̍͠6̴̡̨̛̩̝͈͙̲̪̝̖̞̪͉̟̞͙̪̺͖͑̎̀Į̵̲̝̦̗͆̓̑̈́̀̊̈́͋̾̾̃̚͜͝A̷̢̻͍͈̱͎̥̦̪̹͎̖̼͐͐̄̔̏͆̕͠/̸̡̢̛̮͎͈͓̝͛̈́̋͌̂͗́̐̐̅̀́͐̃̀̾̈́̐́̕c̶͓̦̲̻͓̩̝̼͕̱̆̈́͐H̴̛̩͉̭͔͍̠̠̯̃̚I̶̢̛̬͙̥̹͙̳̯̪̩̤̬͗͐̃͛̅͊̇̎̌͛̓̓̄͆͘͘͜͝͠ņ̵̹̤͈̩͍̤̫͕̞̮̗̩̪̪̄͒̈́͆̃́͌̐̅̚͝͠�̷̡̲̙͈̦͎͈̱̯̤̲̾͐͋͐́̍̇̂͌̕̚͘͜ͅ�̴̧̛̛͙͉̎͒̍̊͗̊̾͆̈́͆͜�̸̡̨͓͙͍̯̖͚̼̱̜̳͔̱̪̠̮̜͔̱̝͊̔͛̎͗̏�̴̛̛̤͇͔̈́̐̐͗̔͌̆̉̋͒̔͒̀͑̈͂͘͝͝͝1̵͈̆̈̉͘Ĉ̴̛͖̗̗̳̣̣͓̦̗̾͛͑̒̈́̋̐́̇̿͐̌̓͋̂͑̌̇̑̐͜Ҿ̵̢̨̤̜̬̲̳̗̏͆͒̋͆͐͗͌̽́̓͌͊̅̈̍̂ܒ̸̡̧̺̞̦̤̺͍̙̮̭͖͊̔̌̈́̋͂̋̆͌͛̐͐̌̋̃̀̇̕͝ļ̷̙̠̙̦̞͗̓̃̓͛̅̌̑̉̃͑̈́̓͂̔̈́͊̚͠�̷̢̛͉̬̩̟̭̺̤̙͙̲͚͕̋̎̒̈́̐̊̐͊͌͜͠Ḭ̷̸̛̺͚̫͎͐̓̈́́̄̄̆̊͗͐̅͂́̓̏̀̊̋̈́́͗̇͂̀̐̚9̷̧̧̛̻̼̱̱̖̞̟̘̦̻̜̺̥̫̥͔̰̣̞̔̽̈́̋͊̃̽̈̿̊̈́̀͝ͅ$̶̝̳̙̭̘̈̔̄́̀̃͗̍̅͜͝�̴̡̨͙̭̰͇͍̦̯̱̗͈͒̓̊́̊̎̎̽̄̌͛̊͋̏͗̕͜͜͠͝ͅv̴̡̢̨̰̙̘̞͎̹̝̫̰͙̰̞̦̬̖͍̽̑̒͗͆̉́͂͜ͅĄ̴̛̤͔̞͎̣͍̱̬͕̹̻̮̟̱̎͂̈́̔͂̋̔͒̌͂͋͂̽̂̕̕̕͜͠͝ͅͅ�̸̯̞͇͉̯̝͕̐̉̊̈́̅́͒̅͌̍͛̃̐͝�̷̨̢̛͙͉̖̯͈̻̗͙̯̬̹̫̘̼̲̀̉̒͋͂͒̐̆̑̊̅͗͛͒̉̒́̔̕̚W̵͎̟͇͕̞̲͓͎̫͍̹̟͇͊͜¸̸̙͙̥͉̘̌͛̒̇́̄͋͋̑̓͋̊̋̾͑̕͝͝͠͝͝ȶ̷̛̫̝͚͙͓̗͈̆́͐͑̽͊͒̍́͛̇̐̑͠W̸̨̧̛̦̯͕̦̊͒̏̈́͑͂̄̽ͅ"̵̧̢̯̳̟͍̥̤͍̠͍̻̻̻͉̼̐͗͜͜͠z̶̧̡̨͉̗̼̳̜̬͈̹̝̱̗͕͙̦̣̬̦͚̊͋̌̐̄̎̑͘͝ͅ�̴̡̨͓͖͉̱̫̻̾̍}̷̧͓̗͕̙͙͔̳͒͋̾̌̄̆̈́̎́̔̾̔̐́̎̕̚͜θ̵̡̝̣̝̣̪̱̞͕̺̈͗ͅ�̶̧̣̤̥̜̮̰͇̹̿̀̈́̂̀͌̿̍̿͒̍͒̋̉̕͜͜͠͠͝x̵̝͂͐̏̓�̸̤͇͍̰̒͊͌̔̈́͂͊̽͘͘͜,̵̪̠̯̳̻̝̖̲͔̫̜̬̤̫͔̜͛̀̈̀̿̎͐>̴̛͕̰͖͖̜͕͖̭͍͎̤̥̖̺̃͂̀͊̈̍̃͋͘~̷̫͍͔̓̓͊͋̔̄͛̅̊̈́̽́́̾̆͌̚͝͝�̴̡̡͚͚̭̫͎̘̰͔̣̲͚̘̭̦̪̻̔́́̓̀̈́͂͗̐̎̽̔̉͠ͅU̵̬̲̹͈̮̖͇̫̻̝̾͊̿͋̀͜x̴̢̧̧̧̖͇̜̱͇̜̤͚̣̜̬̞̺̻̿͂́̽̍̓̒̃͂͊̈̌̄͛̾̎̈̕͠͠͝͠�̴̺̠͖͕͈̰͍̥̖̪̜̞͓̹͚̺̣͍͔͒̉͌́͂͆́͑͌̑̽͘S̵̡̨̮̟̬̲̹̬̩̠͙̜̤͉͇̙͚̬̀̽̈́̓͊̀̉̌̈̀͛͑̌͝͝͝ͅJ̴̡̛̺͒̌̎̒͂̽̏̂͐̔̓̕̚Ž̸̠͎̘̹̺͍̘̤̫͍̮̽̋͆͋̄̂͊̇\̷̡̛͕̟̞̦͚͚͉̭͈̦̟̰͉̲̬͎̹͈̗̀͊̅͒̎̓̐͛͗͆̀͊̀́͊̄́͘͜ͅ�̷̜͙͓̲̘̰̲̘̟͑̃̐̏̾͗͗̈́͂͋̈́̐̊̔̀̏̌̔͜5̶̝̺̼̰̥͍̯̯̰̟̭͇̙͇̻͔͎͙͍̦̣̝̈́̈́̒̐̎̌̐͌́͆́̌̀̽̒̕͠͝͝͠À̴̡̨̛̻̩͇̼͖͑͌̉̿̾̒͐̋̓̽̎̿̚͜͝Ǐ̶̢͚̦͂̾̊̌̓̉̽͒͛̔̓̍̆͛̍̒̀̐́͠�̶̳̣̹͖͔͍͇̙̩̭̮̋͛͌̽̓͂̓̎̈̆̓̓̔̑̀͂�̴̺̖̖̣̺̗̠̱̪̻͛́̎̒̎̐͑̃͌͠ͅF̶̨̠̜̱̦̼̖̭̤̣̭̒͊̓̚͠}̸̻̬̤̅͑͒́̉̿̎̔̔͊̾̍̀̄͆̅̅͐̈́̉͘n̵͓̯̫̖͓̜̋͊͌̑̉͑͐̏͂͌̈́͌̂͌͑̕̚͘Ḻ̸̡̢̖͚̙̦̩̺̱̪̬͎͚̼͔̪͖̃͑́̊Ž̸̧̧̬̣̜͐Ț̵̨͛�̶̢̢̡̢̢̛͎̫͔̥͕͕͙̭̹̟̜̭̌̾̽̊̑͌̑̅̎̀̌͋̏̇̉͒̚̚͠;̵̹͇̹̪̠͚͉̼̰̬̱͎̳̺̈́͌́̉́̔̃̽́́̚͝͠Ķ̶̛̞͈̟̠͔̰͈̯͙̱͕͉̙͉͍̱̪̔̉̌̌̇̊̂̓́̑̋͂̈́̆͒́͜͝͝͝Ӛ̸̧̡̳̱̩̪̟̜̦̝̤̘̄̓͋̀̊̉̔͆̒̿́̿̍̃̚q̴͉͓͖͊͗̎̀�̴̛̛̱͍̀͂̏̌̓̈̒̀͠͝͠&̴̛̞̝͔̝̙̯͇̥͎̱̰̭̬̘͈̂̀̅̀̂͑́̉̈̓̐̔͝ͅN̵̰͎̜̼̤͈̎̒̀͒͆̌̓͑̈́̉̕̕͘Q̵̨̞̩̼͈͔̖̪͉͉̜͈̦͔̹̳̉͌̇͜ō̷̡̨̡̼͇̲̝̟̦͚̤̙̤̺͋̿̈́̐̆̀̇́̃͐́̄̔̚3̸̢͖̭̤̥̆̇̂̔́̊͐̐̅̌́̋̈́͗͠ͅͅ2̵̧̛̥͙͙̫̙͉̺̖̬̪͎̩̙͚̺͐͛̉̃̎͗͐̄͌̎̍͑̃̚ͅy̴͕̬̙̥̝̪͔̭̺̪̙̟͍̼̜̜͚͉͙̬͂̄̂̀́͋̋́͒́̀̋͗̑́̅͝7̸̢̢̧̢̨̳̺̱̲̝͚̣̺̲̞̹̜̼̣̭̘̓̽͑͛͒̇̇̾̎̔͒̈́̄͐̕̕ͅ�̵̨̨̧̛͇̩̫̲̯̜̤̼̥̲͔͉̐̅̓̍̀̓͐̎̓̉̋̿̿͆͘͘͜�̸̝͍̠͚̫͎̉͂̉̀́͗̌̓̇̋̕͜�̶̨̨͔̫̹̩̮̠̬̠͚̩̻͓͈̰̇͂͊̿̑͐͑̾̀̐̑̂̅̚͘0̸̻̹̻͙͓̾͆̀̄̍̽͂̀̓̀͌̉͐̾͐͛͘͝ͅ"̴̸̨̖͖͖̦͚̫͙̠͓̪͚̭̘̟̜̘̞̘̰̗̟̃̍͐́͌̍͂̆͊̊̀̂̃̀͊͊̋͐̑̎̈́̿͘̚͜͝L̷̙͓͔̭͚͔͕̐̇͂̽̚Į̵̧̳̩̖̟̥͈̩̬̲̻̳͖͍͚̻̖̗̳͔̂̈́ͅs̵̡̛͚̲̹̗̞̙̬̱̘̖̫̦͍͈̜̣̮͍̽͘͜ͅ>̷̛̣͎̉̃̽̋̐́̌�̶̨̛͙̞͈̖̤̻̝̫̳̃̎̃̄͌̉�̴̢̨̺̘̳̪̤͈͙̣̳̤̠̝̮͉͇̟͈̪̤̉̊͗̇͜j̴̡̥͇̘̰͎̣̘̺͚͔͐͛̈̑͒̂͌̿̔̃̀͘͠͠!̴̡̡͉̰̮̱̭̠͖̥̳̘͉̩̈̊̀͊͊̉́̃̂̑͘͝͝͝�̶̨̢̡̛̞͉̺̦͙̙͒̀̈́̾̾̑͋̌̆́̑͌͐̿̍̍̎̈́͘͠�̵̜̤̖̞̤͎̱̪̞͖̬̻͙̽̋͗͆͜͝Ṽ̵̧̛̥̭͆͐̈́͊̀̌̉�̵̼̲̘͎̰̤͖͖̼̾́͌̿͑̄͜�̷̨̹͎͙͎̮̫̪̥̭̲̻͕͙̮̬̫̪͊̚ͅͅḱ̷̡̨͈̫̹̯̹̯̰̩̝͖̮͚͉̣̠̺̺͙̑̈̎̓͋̈́̕͜͜͠�̵̢̧̡͎̺̪͇̘̳͖̥̙̩̻̖͙̆̈̌̄̂̎ͅͅ�̶̢̮͓̮͇̩̖͈͙̘̇̿͛̃̅͗̂͂ͅ2̷̢̛̭̘̮͎̠̪͎̺͈̣̒̎̑̐̽̉̾͑̈́͑̽̒͒̈͗͝͠O̴̡̟̩̼̱͇͕̮̼̪̫͕͂̽̿̊̐͊̀͆͒̈́͆̉̿̾̿̚͘͝͝≮̨̡̣͍̜̯͇͔̗̘̯̗͈̹̱͎͚̠̼̯̓̓̌͛̊̚ͅ2̵̧͕̇̌̈̇͗̂̂͛̀̉̿͝͝Ẅ̷̝̱́̋̓̍́ͅ�̴̡̛͕̟͙̝̘̘̟̦̩̟̞͛̿͗͌͊̐͑͑̄̇̾̽̑̑͗̔̀̕͘ͅƽ̷̛͖̦̭͈̹̮̤̾̍̇̓̉̒̀̔Y̵̡̢̨̪͓̼͉̦̣̟̺͙͔̘̦͙̬̪̬͙̌̔͌̔̊̇̂̋͂͆̆͐̍͐́͘ĉ̴̡̡̟͍̰̣̮͈̣̜͈͇͎̈̍͗̅̐̀̔̈́̈́͝Ą̴̛̪̙̺̻̼͔͔̥͇̥̙͚̐̔̉̔̈̎̂̄͒̇͗̕̚͝#̸̮̖̪̍̉̇̑̀̋̉͆̒̀̿̈́́̇͋̂́͝͝͝8̵̛͙̤̲̟̥͚̘̰̬͕͖̰̋͆̀͊̒͋͝�̷̡̨̨̖̝̱́͐͘̚ͅJ̴̨̡̟̰̬͚̬̰̞͍͇͔̞̲͓̝̠͚̘̮̈́̂͂́͒̀̈́̅̄̏̋̍̃̑͠͝�̷̢͔͔̮̖̹̙̺̟̩̫̼͓̘͚̙̩̐͌͌͋͊̕̕͜͝ͅÖ̸̧̨̭͓̘́̅̑̿̋͑̈́͐̓͂͐̀̂̆͆͋͆̇̐͘͠f̶̛̤̳̜̰̖͈̜̝͚͕̐̒̐̔̒̌̎͐̀̔̽̉̀̈́͘͘̚͝͠�̶̟̬͙͊̀̔̃̅̎̒̓͛́̓̔̂́͂̾̌̍̃͐̉͝p̷̡̨̗̪̟̥͂̄̕ه̸̥̤̺̘̞̗̔̉̇̊͌̏̒̓͂̿̂̐͆͂̎̓̽̕ͅẒ̸̡͍̞̺̮̖̝̠̥̗͉̥̻̟̦̘̖̥͕̈́͛͛̓͠b̴̨̤̬͕͍̺̗͇̳̙̜̭̱̻̩̳͚̳̲͎͙̿͛͑̎͆͗̌̈́̐̕͜�̵̛̜̦̗͔̹̙̪̬͍͈̯͉͙̞̲̞̜́̂͌̑́̏͜%̸̨͙͖̝̬̥̩̻͔̟̼͂̆̓̔̀́͋̂̋̃̆̂̾̏́͑̌͘͝͝͠͝1̶̢̧͔̼̤͓̙̜̑̊̉͋̊̆̓̆̋͂̅̒̾͜͝g̸̡̣̖̈̓̎̊̇͂̀̃̎̂̌̒̕�̷̡̮̯̺̺͉͔̬͋̔͐̒̉̈́͑́͘͠͝͠w̷̨̬̘̞͔͔͍̪͖̙̳̮̖̯͙͚̬̜̥̣̰̍̾̂̽͑̄̀̾͊͊͛̈́̇̈́̈́ͅ�̴̡̩̩͚̼̙̩͚̯̥̖̟̔̊̉̍̈́̓̈́̑̔̀͘͜͝!̴̮̾̒̀̈́̾̑͂͋͌̅̽̊́̄͊k̸̦̳̠̲̥̓̈͒͐̌̔͆̏̆͂͌̑̐͘*̴̨͕̬̜̼̣̮̈́̈́͑̐̔̑̓͋̏̏̕ḩ̴̪͚̲͉̗̯̗̺́̈̆̑͌̉̏̊̎͘(̴̨̨̙̩͔͗͂̈̄̂́̏̐͛̉̈́̑̏̒̇̈́̀͝ʶ̵̢̨̨̡̤̖̖̼͇̟̝̆́̀͂͂̒̍̃́͌͝7̴̛̭̰͓̖̝͔͌̿̈̀̔̃̒̿͌͗̋̑̈́̚ͅ3̵̧̗̱̙͔̳̻͚͙̞̆�̵̢͙̗͕͚͚̙̘͕͈͍͔̇͐̂́͂̄̀̈́̔̌̕̕͜@̵͖̱̭̟͝�̶̙̰̲͚̣̤̹̖̖̦̂̒͑̑̍̐͝C̴̡͉͚̹͍̖͍̭͚͍̠̲͚͚͓͒̌̃ͅC̶̛̞̤̭̐̅̇͛̀̄̈́̌͐͑͌̾̋̕̚̚͘͘͝�̵̛̰̥̲̻͖̭̮͇̬͎̿͂̒̃̽̂̔̓̏̈́͛̍̚̕͘h̸͖͎̗̪̠̰̐̊̑̋̃̏̈́͋͂̕͠Ū̵̱̘̹̳̒̐̏̃͜s̸̮͇̲͖͎̺͚̹͇͋̃̈́̈́̃͐̐͌̑́̕͝Ժ̵̺̙̯͎̲͎̼͇̺̣̙̦̗̔̓͑͒́͊̓̽ę̷̧̧͚̗̘͚̱̤͈͚̩͓̞͍̥͈̄̿̆̇͑̇͑̈́̿̑̅̒̚͘!̵̨̢̬̰̰͕͖̟̟̜͉̘͕͎̺̣̯̩̻̔̈́̓͐̊͂̔̂͑̌̐̅͐̓͌͌̈̐̉́̚̕_̸̧̫͔͎̙̠̪̼̖̞̣̗̮̗̦̭͉̺͕͕̔̋̆͛͛̑͝�̴̨̛͍̭̩̭́̌̓̀̍͝͝͝ͅ�̸̢̣͖̺͚̝͇̲̻̯͇̫͙̬̯͓͈̻͕͚̊̍̔̉͆̌̽̃̃̂́̋̀͝d̴͔̹͔̜͚͇̭̝̜́̏̇͊̍̓̄̚̕͝Ŗ̵̢̧̘̮̤̯̫͓̞̪̫̖͎̣̽͊͒̅͘�̴̶̧̢̢̦̺̜͕̜̥̥̦̙̗̖͇̦̠̭̰̞͓̳̙̌̇̿̆̈͊̍̑̈͗͐̈ٞ̽̂̋̀̉́͒͌̚̕͝͠p̴̢͎̦̮͕̹͇̯̦̜͈̖̣͔̜͖̹͕̓̀́́̾̕ṿ̷̨̨͉̹̪̝̥̞͔̦͇̺͇̺̱̓͆̒͒̊̊̂̄̾͊͋̓̑̀̕G̵̭͇̲̱̥̠͎̖̙͔̑|̸̧̬̰̯̇͂̔̇̎̅́͂̉̆̓̓̔̔̚̚͝͝.̸̦͈͓̲̗͎̻̝̬̇́͘=̶̧̧̧̧̪͚̝͉͚̩̲͇͇̜̪͍̝̫̒̓͋́̍̀͆̍ͅͅ4̸̧̨͚̞̰̗͍̭̬͇̩͚̣̟̲͍͎̃͋͂̚{̵̢̨̢̟̳̞̦͖̘̞̙̖̮̣͚̜̹̤̪͔̓̈͂͗̓̈͆̚͝͠ͅͅv̸̡̤̼͍̤̰̭͉̝̙̗͇̻̯̘̺̮̤̣͚̠̤͛͌͗̌́̽̏̌̓̅̚͝͝"̶̨̹̼̬̘͔̳͕̼̲̫̟̜̟̫̳̯̬͌̉́̀́͝ͅͅ&̶̡̜̬̣̬͓̻̱̲̯̰͉̯̱̳̮͈̣͉̖̟̇̊͜.̷̬͖̖̬͊̃̌ͅ�̸̢̢͓͈̝͍͎̺͋̈́̉͂͒͒̏͑̑̌̽̈̄̐̒̕͝͝͝͝͠�̵̢̨̛̯̖̣͚̹̠̘͇̞̭̗̲͓̊̄͒͂͋͊̀̋͑̓͑̈́͑̕͠͝͠m̵̧̧̭̟̮̣̗̥̫̼̱̻̞̳͉̙̱̮̫̪͂̅̀̋͗͜͠≠̛̯̺͎͋̌̀̐̔̈̇̇̽͌͑̏̾̍̾̓͝_̷̱͇͒̓̏̂̔͊͆͘͝�̴̷̡̧̧̛̭̤̞̺̹͎̭̻̖̮̹̳͖͚̹͉͍̥͓͕̥̘̻̜̓͗̐̒̄͊̐͋̀͗̀̔̍̾͛͗̆́̈̚̕̕͜͜͠͝͝͝ͅD̶̢̛͙̞̖͎̱̱͕͚͔͍̑̇͒̃͂̈́͒̃̐͋̊̃̈́Z̷̯͕̳̝͇̠͔̣͈̖̞̿́͜͝ͅZ̶̢̗̙̝̖̯̹͚͙̤̝̗̮͕͖̚ף̵̧̡̨̯͕͕̮̺̗̼̫̭͖̟͍̤̮͖͔̯̫̉̋�̸̫͍̞̘̻̠̮̖̥̱̻͈̹̣̦̖̅̍̓́͋́̉̓̓̅͘ͅa̵̘̮͍͍̮̠̦̙͉̔̉͒̽̓̅̏̈́͊͗͆̏̇̕̕͜͠ȧ̴̞͖̹̮̖͓̠̆̀́͝ͅZ̸͍̙̘̟̳̗͇̄̇́́�̷̡̤͍̝̦̤̻͙̹̱̱̗͔͔̻̙͔̠͗̐́̿̽̉͋̾̄͆̎̀͋̈̈́̌͜͠�̶̧̛̤̤̟͍̫̳͎̞̲̱́͑̓̽̾̀̑̍̾̿͊͑͜͝͝͝Ĉ̴̢̡̢̨̧̰̤̪̦̟̟͉͎̪̩̻̺̺̞́̈́̌̉̚q̴̧͕̫͉̻͓͖͖̞̣̰̮̼̟̯̰̒̾͊̀̇̃̿͋͐̾̈̃�̸̺̠̞̫̝̜̺̹͚͍̈́̆̔͑̏̌̀̓́́̏̀̃̓͋͑͘̚͝!̴̥̹̗̟͉̣̔̄̓̒̃̃̔̒͂̅̈́̂̐̎̐̅̋̕͘͜͜ͅs̴̡̢̛̹̰̠̰̥̤̭̰͈͉̥̞͓͈͎̹͙̲̈́̃̊̄̏̀̋̊̂͑̑̈͘͠G̸̡̡̢̣̣̭͎̟̱̮̗̰̣͕̱̩̪̞͚̅̽̋̉̈́̋̂̀͒͑͠͝1̴̳͒̾́͗̓̊̀̑̍̈́͑̈́͂͘͝͠Ţ̸̢̫̥̹̦̭́̓͒͜3̴̧͙̠̝̮̭͖͕̭̘̞̥̗͈͉̖̞͇̖͈̳̫̓͊͑̄͐�̸̛̱̄͋̓̓̑͑̔̑̐͒͂͐̋̀̌͒̕͝͠=̴̢̡̭̤̹͕̳͖̈́̀̀̍̿̚2̵̨͉̟̺͇̝̞̯̳̦̦̿͛͒̐́̀̽̂̉͐̂̽̑̕͘͠͠͝l̶͍̠̜̩̮̜͎͊̅͊̿͒̓̋̄̏̈́̀̕͘͘͝ͅͅb̶̨̩̞̠͕̹̘̩̮̱̥͔̭̯̯̘̈̈́͒̀͆̓͝,̸̠̊̂̑͂̍͂͒̎̊́̈́̊̈̎͠͝�̴̛̤̳̥̱͇̱̱̪̫̀̐̾̿̿̿̕͜͝�̴̢̢̯̙̲̻̳̩̞̭͈͉̥̱̺̙̱͎͙͑͒͌͝ͅ�̵̘̋̾͑͌�̷̸̢̡͕̳̼̣̞͙̖͔̬͔̙̦͍̲̹̰̬̯̣͔̠͔̼͔͕͕̗̝̮̈̈́̋̄̑́̌͛̿̈̐̒̏̍̕͘͜͜͝�̷̲̣̰͍̠͉͇̌̓̒̀̂̌͛̉͊͑͒̿͗͒̏̅͝镰̵̢̩̱̭̘̭̦͔̘͉̟̟̰͈̲̩̖̂̇͛͌̐̇̿͊͌̃̓̀̍̈͘͘̕ṇ̸̛͍̩͒̈́̓̓͆͌̈́̈́͂͠͠)̴͎̩͙̇̿̽̑̃̇̎͊̊̂͐̄͛͐̂̈̽̚̕͝͠L̷͙͔͇̥̹̩̝̟̞̙̯̣̦͎͂̍̓̃͑͊̇̐̊͆̿̀̇̓̈̎̚̕͜͝d̵̨̟̰̘͎̖̼̙̺͕̥̥́͊̀̋̄̚]̷̘̩͙̅̽�̸̧̝̗͉̮̱͇̯͔̭̦͓̤̣̗̘͚̫̪͎͚̠̽̓̉̋͆́̈͆́͂̀̔̀̚͝͝�̷̢̮̖͉̫͇̃͑͗̂̓͗͒̀́̅͂̈́̎̊̀͘̕͠͝Ϯ̵̡̢̬̣̬̟̬̰̭͇̬̫̱̐̐̎̄͌̅̿̓̒̓̈́͘͜͜͝
All I see is hunter2?
Entropy so strong it makes quantum computers cry.
deleted by creator
Why would I have to verify by eye? That’s what a password manager is for. And writing your passwords on paper? ಠ益ಠ
deleted by creator
That’s the stupidest combination I’ve ever heard in my life! That’s the kinda thing an idiot would have on his luggage!
The one guy got grey hairs in-between slides lol
Won’t protect against an offline attack (just will confuse the hell out of the hacker) but might confound an online attack? Until someone gets wise and runs the tool a second time. Loving the chaotic neutral vibes here.
It doesn’t really even protect against online attacks though. Like, if you’re going through a list of known accounts, by definition it won’t be any of those accounts’ first time logging in, right?
And if you’re not going through a list of known accounts, good luck getting anywhere with your attack any time this millennia
This would be per session, not lifetime.
Function naming could use some work then, it’s not obvious that
isFirstLoginAttemptwould be session-aware.Sorry, I’ll stop being pedantic now
This makes it even more cursed
Not to be pedantic but wouldn’t it be IsFirstLoginWithAttemptedPassword or am I missing something?
You’re right, and nothing wrong with being pedantic when working with code :)
No, it’s correct - say your password gets leaked across thousands of passwords. A hacker will try to crack all of them with a program that guesses them once, which as the image suggests defeats these types of programs
no, since it first checks if the password is correct. if it is, display error message. if it is corrent and the second time, accept the password (code not in screenshot) but if the password is wrong, it doesnt check if it is the first attempt.
How does that stop a brute force attack? As written, it only stops the single luckiest brute force attack that happens to get the password right on their first try.
You can’t really prevent a brute force attack. Even if you prevent it from one IP or so, you can still do “distributed” brute force attacks.
Also only allowing one password per 5 seconds or so per IP will not work if you have lots of users and they are at work and have the same IP.
It wouldn’t stop most brute force attacks, which are not performed on the live web service, but rather on a password hasb list that was stolen via some other means.
It’s not quite complete without code on the password reset page to tell you that you can’t reuse your password.
I’ve had that before and I’m very confident the password was correct - my theory is that they’d changed how non-ASCII characters like £ were handled and their code only half recognised my password.
I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!! And #### etc
Hopefully they’re not sitting the old passwords in plain text and just have the hashes.
And label the text box “username” when it only accepts email address.
You guys are evil - who shat on your pillow??
**Allegedly
Hearsay
And then validate the email with a custom regex that definitely doesn’t account for all the valid syntax permutations defined by the several email-oriented RFCs
Only on mobile though, on desktop have different criteria. Perhaps give the text box an arbitrary max length of like 30 characters on sign-in but not on account creation.
Don’t forget to have hidden password requirements and secretly truncate any password longer than 12 characters.
Well yeah, if you don’t truncate the password to 12 chars how will you fit the plaintext in a memory efficient fixed latin1 CHAR column that only accepts letters, numbers, and underscores
/s
Battle.net used to not be case-sensitive for passwords, back in like the pre-wow era.
Intresting. At least they got their act together, even making a physical totp authenticator in the 2000s.
If they had the password right the first try, that isn’t a brute force attack, thats a credential leak.
It should be that it rejects the password the first time it’s entered correctly but accepts it on every subsequent try. That actually would provide some protection against like dictionary attacks and raw brute force attacks.
I think the author attempted first time login to be with the right password.
could also work in a brute force scenario, but first attempt would be not first attempt in a set amount of time but first attempt for each password by the user in a fixed amount of time
Don’t trust anyone - not even yourself
deleted by creator
Deleted
@Rustmilian
Good password
Best idea ever!!!
This is negging for auth.
That’s actually pretty smart
Password managers say hi
I’ve never used one
Bitwarden works well.
I feel like it’ll screw me when I need to log into accounts on devices like my TV or Google Home
I don’t really have “devices” that need logging into so i can’t help you, there.
