[From-Scratch] Coded forum - (PHP/MySQL)

Charles Stover
v5 Beta Tester

Posts: 1,731

[From-Scratch] Coded forum - (PHP/MySQL) Dec 27, 2009 12:41:55 GMT -8

Post by Charles Stover on Dec 27, 2009 12:41:55 GMT -8

Dec 27, 2009 9:09:37 GMT -8 RedBassett said:

Common suggestion:

Do not tell someone when they (fail to) login if it is the username or password that they have wrong. This makes it easier to guess at the login, especially under some circumstances.

I disagree. Knowing that it's the wrong username is a useful feature, since some people tend to use multiple usernames across the Internet. I myself have been baffled by how none of my passwords work, and it turned out I was using the wrong username. Assuming you're talking about brute-forcers and the like, someone's username will likely be already determined as accurate (e.g. pulled from a member list or somewhere else on the site where it is listed) before it is attempted to be cracked - so a "wrong password" is implied. The only people who will be affected by a "wrong username" screen are those who will need it.

RedBassett
Moderator

Bark Different.

I'm a Marxist/Lennonist of the Groucho/John variety.

Posts: 15,405
Mini-Profile Theme: RedBassett's Mini-Profile

[From-Scratch] Coded forum - (PHP/MySQL) Dec 27, 2009 13:10:25 GMT -8

Post by RedBassett on Dec 27, 2009 13:10:25 GMT -8

Dec 27, 2009 12:41:55 GMT -8 Charles Stover said:

Dec 27, 2009 9:09:37 GMT -8 RedBassett said:

Common suggestion:

Do not tell someone when they (fail to) login if it is the username or password that they have wrong. This makes it easier to guess at the login, especially under some circumstances.

I disagree. Knowing that it's the wrong username is a useful feature, since some people tend to use multiple usernames across the Internet. I myself have been baffled by how none of my passwords work, and it turned out I was using the wrong username. Assuming you're talking about brute-forcers and the like, someone's username will likely be already determined as accurate (e.g. pulled from a member list or somewhere else on the site where it is listed) before it is attempted to be cracked - so a "wrong password" is implied. The only people who will be affected by a "wrong username" screen are those who will need it.

I have always made no distinction between the two, but it is a matter of the programmer's opinion. I prefer the slight security benifits, and am simply echoing a suggestion that has been made to me many times before, but as I said, this is a matter of personal taste.

Phrate Senior Member It's been 9 years! Posts: 1,297 Phrate inherit 54640 0 Jul 2, 2019 10:52:15 GMT -8 Phrate It's been 9 years! 1,297 Senior Member August 2005 ghotherkill	[From-Scratch] Coded forum - (PHP/MySQL) Dec 28, 2009 17:15:01 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Phrate on Dec 28, 2009 17:15:01 GMT -8 The reason for the exploits not being removed is because I am working on ToT v2.

[From-Scratch] Coded forum - (PHP/MySQL)

Post by Charles Stover on Dec 27, 2009 12:41:55 GMT -8

Post by RedBassett on Dec 27, 2009 13:10:25 GMT -8

Post by Phrate on Dec 28, 2009 17:15:01 GMT -8