28Oca
Is it viable to defend against brute force attacks by rejecting correct passwords?
(found on reddit)
[translation: the website is programmed to reject the login if it is the correct password and if it is the first login attempt]
Assume that the scheme is to reject the first correct login attempt - because otherwise it doesn't make much sense.
In the form presented in the comic it is security by obscurity. However:
- it will still defeat most bots that try common passwords against every single login box they can find
- make it random instead: 100% chance to reject the correct password in the first login attempt, 50% chance to reject the correct password on every subsequent attempt in a row - and the number of attempts an attacker would have to try for each guess would increase very considerably, even if the attacker was aware of the scheme.
Now I know this is horrible from the usability point of view. But from the purely security point of view, would it work?
