Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
tromp
on Nov 23, 2022
|
parent
|
context
|
favorite
| on:
“Invalid Username or Password”: a useless security...
I'd prefer the error to be "invalid username" if the typed username is not registered, and "wrong username or password" if it is. The system only knows if the username is valid or not; it doesn't know whether it's wrong (i.e. mistyped).
kahrl
on Nov 23, 2022
[–]
I'd prefer to not create brute force vulnerability that leaks the site's list of user email addresses to an attacker.
tromp
on Nov 23, 2022
|
parent
[–]
As the article points out, this leaks it no more than trying to register an email address.
croes
on Nov 24, 2022
|
root
|
parent
[–]
Which can be prevented by sending an confirmation email at a signup, no matter if a new account or an existing one.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
