|
|
|
|
|
|
by throwaway2016a
686 days ago
|
|
|
It's not quite so clear cut. Close. Even OWASP acknowledges there are trade offs: > The problem with returning a generic error message for the user is a User Experience (UX) matter. A legitimate user might feel confused with the generic messages, thus making it hard for them to use the application, and might after several retries, leave the application because of its complexity. The decision to return a generic error message can be determined based on the criticality of the application and its data. [1] Though it's a pretty low bar. Given the common uses of Wordpress, there is certainly a very strong argument that it warrants the extra security. I'm not defending its UX, I think it should have more generic errors. Just pointing out that this one particular example is not in and of itself the best banner to hold up when it comes to bad security as it is not a clear cut answer. A person could be very considerate of security and still come to the conclusion that the better UX is worth the risk. [1] https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio... |
|
|