Community mailing list archives

Possible security issue?

Apertoso, Maarten De Wispelaere
- 11/18/2014 10:20:55
Dear all,

I noticed that, on ; the form shows wether an account exists or not…


This doesn’t seem like a very good idea from a security aspect. Normally, you should say - after an attempt to login - that either the username or password is invalid, but not give clues to wether an account actually exists or not.
In doing so, you actually make it easer for dictionary attacks to guess for accounts…

Classic attacks seek username & password combinations, not knowing whether a user exists or not, which makes it a very slow process (relatively).
If a valid user can be detected, the time needed to try all combinations is reduced by a huge factor, as you can first concentrate on finding valid user accounts, and only afterwards try to guess the password.

This might seem a nice idea from a usability kind of perspective, I get that… but you might want to reconsider…

Best regards,
Maarten De Wispelaere
Apertoso NV