Insecurity

The below signin bad password message tells the user that the group name is invalid which is one way to crack the group name (which we currently don't protect) - but a bott would have to guess unless it is trained to navigate FastBlogIt.


Tags

  1. user
  2. login
  3. feature

Comments


Seth says
im calling that a feature not a bug.  when trying to get into a system where you are not sure of what name u used, it is very convenient to have the system tell you whether you typed the name wrong or the password wrong.  i put that feature in intentionally. 

See Also

  1. Thought How can i log into an anonymous group to edit items or delete goofy tags? with 4 viewings related by tag "login".
  2. Thought Need a function to easily find out new comments with 0 viewings related by tag "user".
  3. Thought Making it easier to switch groups with 0 viewings related by tag "login".
  4. Thought you have the ability to easily find what activity happened in this domain since last you visited with 0 viewings related by tag "user".
  5. Thought how would a global author screen name work? with 0 viewings related by tag "user".
  6. Thought peg with 0 viewings related by tag "login".
  7. Thought Change sign in form with 0 viewings related by tag "login".
  8. Thought Bug in new password with 0 viewings related by tag "login".