Community mailing list archives

Re: Possible security issue?

by Quentin THEURET <> - 11/18/2014 11:10:23
On 18/11/2014 16:22, Maarten De Wispelaere wrote:
> Dear all,
> I noticed that, on ; the form shows wether an account exists or not…
> Screenshot:
> This doesn’t seem like a very good idea from a security aspect. Normally, you should say - after an attempt to login - that either the username or password is invalid, but not give clues to wether an account actually exists or not.
> In doing so, you actually make it easer for dictionary attacks to guess for accounts…
> Classic attacks seek username & password combinations, not knowing whether a user exists or not, which makes it a very slow process (relatively).
> If a valid user can be detected, the time needed to try all combinations is reduced by a huge factor, as you can first concentrate on finding valid user accounts, and only afterwards try to guess the password.
> This might seem a nice idea from a usability kind of perspective, I get that… but you might want to reconsider…


I think you have right. It's not a big securitry hole but less you give 
information to attackers, more the difficulty is increased to find the 

I think Odoo could reconsider this point.


TeMPO Consulting
20, Avenue de la paix
67000 Strasbourg
Tel : +33 3 88 56 82 18
Fax : +33 9 70 63 35 46