To all the websites that take more than 2 seconds to figure out whether your username/password combination is correct,


I don't want to watch your sorry ass fucking shitty application server try to figure out if I entered my fucking credentials correctly for 50 fucking seconds since I have to try them multiple times because I have visited your worthless fucking website like once or twice and couldn't remember the password well.

  • 9
    Use password manager. If bcrypt has high number of rounds it is pretty normal to have the process a little bit longer
  • 21
    Some times its a measure against brute force attacks
  • 6
    @24th-Dragon Came to say this
  • 6
    @24th-Dragon It's also why it makes sense to delay even correct logins by one or two seconds to that the brute force attacker cannot use the delayed response as shortcut information whether the login has failed.
  • 3
    While I agree with the brute force attack point of view, the more up-to-date concensus is that a BF attack will definitely take well over houndred attempts, even dictionary attacks will take more than 5. So usually the artificial delay should appear only as a result of several incorrect attempts. We have UX even in security!
  • 0
    I can add to that - I hate when some stupid site like news site where I want to leave comments asks to register with fucking full name and password requires numbers, special character. Fuck you such site owners. What fuck the attarker will want to steal my commenting account? if if he steals, thats my problem if I used weak password. If I know that account is important for me then I will fukcing chooose strong password.
  • 0
    If anyone is wondering why your app also needs 2 seconds+ to check for user/pass auth:

    It means your indices are bad (and probably not even being used due to some other constraint in the query) or your queries are really really bad.

    This sort of thing should not take more than a few ms to check on an SQL table with less than 1 million rows.
  • 0
    use argon2 correctly and it is perfectly normal to take 2s.
    you cant short circuit it, thats just part of the hashing system.

    maybe just enter the right creds
Add Comment