The potencial attacker gets too much error information when trying to guess some login data.
For example; there are username and password input types. If I enter the wrong username, the system tells me that I entered the wrong username. I can guess username by using brute force method. When I know the username, I can move on to password (it's the same story).
Advice: don't exactly pin point the error when someone is trying to log in. Insted of "no such username" or "wrong password", return something like "username or password doesn't match". This way the attacker doesn't get the information if the username exists and it's much better protection as ge must guess two strings at once not just one.
The potencial attacker gets too much error information when trying to guess some login data.
For example; there are username and password input types. If I enter the wrong username, the system tells me that I entered the wrong username. I can guess username by using brute force method. When I know the username, I can move on to password (it's the same story).
Advice: don't exactly pin point the error when someone is trying to log in. Insted of "no such username" or "wrong password", return something like "username or password doesn't match". This way the attacker doesn't get the information if the username exists and it's much better protection as ge must guess two strings at once not just one.
greetings, rainworm