[thelist] Re: best way to check for valid user/password
Kelly Hallman
khallman at wrack.org
Thu Jan 9 16:37:01 CST 2003
On Thu, 9 Jan 2003, Pete Prodoehl wrote:
> > I'd say it was good security practice not to distinguish between bad
> > username and bad password as far as user feedback is concerned. The less
> > information you give them about why they can't log in the better!
>
> Sure, that makes it easier on the developer, but harder on the user.
The original comment was about security, not ease of development. If it
can be determined that a username exists on a system, the job of brute
force attacking the system becomes that much easier.
> If someone thinks they know their username, types it in (with the
> correct password) and tries to log in, it might be helpful to tell them
> the password was incorrect instead of saying 'one or the other was
> wrong, but I won't tell you which one.'
Inconvenient for the user who forgot their login information maybe, but
probably less inconvenient than someone hacking your account.....
> I can't tell you how many sites I've got to where I don't remember the
> exact variation of my name that I used. Was it pete, petep, pete1,
> pete2, etc...
Those sites should perhaps offer some alternative method of retreiving
your login credentials, such as mailing them to an email address given
during the initial account registration.
--
Kelly Hallman
http://wrack.org/
More information about the thelist
mailing list