ivannovak
commented
13 years ago This is beyond the intent for this system. Feel free to modify this in your project.
Closed rainworm closed 13 years ago
ivannovak
commented
13 years ago This is beyond the intent for this system. Feel free to modify this in your project.
rainworm
commented
13 years ago OK, at least point it out in coments so people will know it's an issue.
The potencial attacker gets too much error information when trying to guess some login data.
For example; there are username and password input types. If I enter the wrong username, the system tells me that I entered the wrong username. I can guess username by using brute force method. When I know the username, I can move on to password (it's the same story).
Advice: don't exactly pin point the error when someone is trying to log in. Insted of "no such username" or "wrong password", return something like "username or password doesn't match". This way the attacker doesn't get the information if the username exists and it's much better protection as ge must guess two strings at once not just one.
greetings, rainworm