[RandomInteger4]

The web developers that think like this are bad at web development, and likely security. Why would anyone trying to brute force your authentication portal care about using your UI?

[gpm]

This is giving me bad ideas about making the UI (and only way to log in) be to send the password 1 character at a time as it's typed, and then using some form of ml to try and identify probable bots.

You'd probably mostly catch password managers and people copy-pasting passwords though. If you had per-user fingerprints also people typing on a new device...

[spydum]

I’m pretty sure that would be unmanageable, but love to see it tried.. Are you thinking of each character acting more like a number in a combination lock and needing to be provided to the app sequentially to be checked? I dont get how you distinguish between password managers and bots or API dictionary attacks on the same interface?

[jarfil]

Isn't that essentially how the "I'm not a bot" captcha works though? And it seems to work pretty well.

[gruez]

>This is giving me bad ideas about making the UI (and only way to log in) be to send the password 1 character at a time as it's typed, and then using some form of ml to try and identify probable bots.

at that point you might as well outsource that sort of fingerprinting/behavior analysis to some service like recaptcha.

[gpm]

I mean, I suppose my idea is basically "build a recaptcha competitor". Otoh in house recaptcha is "better" because

- Hackers haven't spent time breaking it

- It doesn't raise the same level of privacy concerns

- You control the UI (though recaptcha3 gives you that) and have greater insight into what the score means and why

[RandomInteger4]

Sounds like a great way to create a huge security flaw for your users and their passwords, or a nifty method by which your attackers can DoS your site.

KISS.

[q_queue]

I think this is actually done, and I wish I could remember the godforsaken website I encountered it on.