|
|
|
|
|
|
by mindcrime
3973 days ago
|
|
|
Regarding #1, telling the user that their login failed doesn't eliminate their ability to enumerate existing usernames. All they have to do instead is attempt to register a new account with the username they're testing. At some point, the site will have to tell them that the username already exists. Agreed, but I would lean towards giving the bad guys as few tools as possible. If you require a captcha to register, and if you limit the number of registration attempts, you can also cut down on that channel. That's not to say that this stuff is the be all / end all of course. It would probably be better to eliminate username/password combos altogether and do everything with keypairs, but until that day comes... |
|
|