If I (the attacker) already have a user's password with the random characters, I only need N guesses to guess an unused password where N is the total length of the password.
I just try replacing each character in the password with a random character one at a time until one of them changes the random phrase and not the critical password.
the whole idea is to stop the hacker from the first attempt, and either lock the account or notify the user so she can change her password.
besides, any decent authentication would implement a throttling mechanism, or ban a certain IP from trying to login after a certain number of failed attempts
So why not using 2FA? You said that sometimes 2FA is not an option but, if that's you want to achieve, I would recommend to make the effort to use 2FA, instead of reinventing your own security mechanism (which usually is difficult to get it right).
Furthermore, never forget this: 98% of the time your user will be either lazy or stupid; the remaining 1%, both[0].
Do not put them in charge of their own security, ever.
Beucase I can totally see the following scenario, where your user will say
oh damn, I have a 6 characters long password, and now I have to type 6 (or any custom number) more random chars :(
...
you know what? I'll shorten the password to the minimum length required, then the website will take care of the rest. Problem solved!
which effectively weakens the effectiveness of the user's password, not to mention is not compatible with password managers.
[0] the other 1% use a password manager ;)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If I (the attacker) already have a user's password with the random characters, I only need N guesses to guess an unused password where N is the total length of the password.
I just try replacing each character in the password with a random character one at a time until one of them changes the random phrase and not the critical password.
the whole idea is to stop the hacker from the first attempt, and either lock the account or notify the user so she can change her password.
besides, any decent authentication would implement a throttling mechanism, or ban a certain IP from trying to login after a certain number of failed attempts
So why not using 2FA? You said that sometimes 2FA is not an option but, if that's you want to achieve, I would recommend to make the effort to use 2FA, instead of reinventing your own security mechanism (which usually is difficult to get it right).
Furthermore, never forget this: 98% of the time your user will be either lazy or stupid; the remaining 1%, both[0].
Do not put them in charge of their own security, ever.
Beucase I can totally see the following scenario, where your user will say
which effectively weakens the effectiveness of the user's password, not to mention is not compatible with password managers.
[0] the other 1% use a password manager ;)