DEV Community

Discussion on: [PoC] Partially random passwords: or how to protect users passwords from keyloggers with partially random passwords

jakebman profile image

If I (the attacker) already have a user's password with the random characters, I only need N guesses to guess an unused password where N is the total length of the password.

I just try replacing each character in the password with a random character one at a time until one of them changes the random phrase and not the critical password.

djug profile image
Youghourta Benali Author

the whole idea is to stop the hacker from the first attempt, and either lock the account or notify the user so she can change her password.

besides, any decent authentication would implement a throttling mechanism, or ban a certain IP from trying to login after a certain number of failed attempts

polentino911 profile image
Diego Casella

So why not using 2FA? You said that sometimes 2FA is not an option but, if that's you want to achieve, I would recommend to make the effort to use 2FA, instead of reinventing your own security mechanism (which usually is difficult to get it right).

Furthermore, never forget this: 98% of the time your user will be either lazy or stupid; the remaining 1%, both[0].
Do not put them in charge of their own security, ever.

Beucase I can totally see the following scenario, where your user will say

oh damn, I have a 6 characters long password, and now I have to type 6 (or any custom number) more random chars :(
you know what? I'll shorten the password to the minimum length required, then the website will take care of the rest. Problem solved!

which effectively weakens the effectiveness of the user's password, not to mention is not compatible with password managers.

[0] the other 1% use a password manager ;)