Log-on security

by GoodGuyGreg 1 Replies latest forum suggestions

  • GoodGuyGreg


    Just a suggestion from old paranoid me: The logon process on this forum evaluates the username and password parts of the credentials separately, from what I see. Giving clues to valid usernames opens up a couple of nasty and probably unwanted attack vectors (including searching for suspected members by their known mail addresses). I do understand that it simplifies the interaction with less computer literate users, though.

    If the current process is there by design, or if I've misunderstood it, I'll just shut my mouth, but at least I want to have warned against it. :)

  • Hadriel

    Use an alias email address.

    Change your passwords frequently.

    I understand your question and in general I tend to code it in such a manner that you simply get back "username password mismatch" or something to that effect. Additionally when you recover an account all posts are successful. You don't know if it recognizes your email or not. All by design for the reasons you describe.

    ALL that said the two things I mention above are pretty important. The bottom line, for a skilled person, if they have the time and reason they're going to get it. So if we do our parts it helps devs like myself tremendously. What I mean is and I'm not trying to scare folks here, its just that it helps if you remove the target! Hopefully I'm making my point right.

    You may want to ask Simon he may have something in the hopper for this. Sites such as this are labors of love. They are constantly in flux, understandably I might add.

Share this