this post was submitted on 21 Oct 2025
697 points (97.7% liked)
memes
17788 readers
2238 users here now
Community rules
1. Be civil
No trolling, bigotry or other insulting / annoying behaviour
2. No politics
This is non-politics community. For political memes please go to !politicalmemes@lemmy.world
3. No recent reposts
Check for reposts when posting a meme, you can only repost after 1 month
4. No bots
No bots without the express approval of the mods or the admins
5. No Spam/Ads/AI Slop
No advertisements or spam. This is an instance rule and the only way to live. We also consider AI slop to be spam in this community and is subject to removal.
A collection of some classic Lemmy memes for your enjoyment
Sister communities
- !tenforward@lemmy.world : Star Trek memes, chat and shitposts
- !lemmyshitpost@lemmy.world : Lemmy Shitposts, anything and everything goes.
- !linuxmemes@lemmy.world : Linux themed memes
- !comicstrips@lemmy.world : for those who love comic stories.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How does this 'kinda work'?
It doesn't. Cracking programs don't use the user login form repeatedly. They use the same algorithm that creates the publicly encoded password to generate encoded passwords and keep going until they have a match. Besides getting the encoded password and salt, everything is done offline.
This just creates a really bad user experience.
If they actually use the real login form, most websites block an account after X attempts. Sometimes for 1-24 hours, sometimes until you do a PW reset
It rejects the first [correct] login attempt (it’s worded poorly). It assumes that a brute force attacker will try any given password once and move on, while a human user will think they made a typo and try again. This works until the attacker realizes that it takes two attempts, in which case it merely doubles the attempts required to breach the account, and simply requiring an additional password character would be vastly more effective.
What a shitty user experience for regular users.
which is why they made a comic instead of a revolutionary thought leading blog post
Hey now, I'm sure there's someone on LinkedIn suggesting this exact thing with layers of corporate speak.
Yup it’s like how software companies will get a hate on for pirates and take it out on their loyal paying cutosmers
Look, we all need to pay a little for the greater good of security.
/s
Just like captcha
Agreed, and also makes it readily known that that is what you are doing.
The sneakier more user friendly way to implement it would be to require the second correct attempt only if the user has made an incorrect attempt since the last successful login.
All tools that bruteforce passwords attempt each password only once, and if it doesn't work, discard it. Nobody really runs 2 identical attacks back to back (they're incredibly slow when done over the internet), so the password would seem uncrackable at first glance.
This approach wouldn't work with hash cracking, vault breaking or file encryption, because once they get their hands on the hash/vault/file, the attacker can use their own code for hashing/checking a password candidate.
They'll change the correct password every time because they are told it is wrong.
Don't worry, a not-insignificant number of users probably use "Forgot Password?" every time because they can't keep track of the correct one. Lol
I suspect this is why we started to see all those "use a temporary password instead" options lately. XD