Monday, October 15, 2012

can't they be more specific?

found on memebase

if you've ever come across that error message (wrong username or password) and wondered why they don't just tell you which one is wrong, it's because that additional information would reduce the amount of guessing that an attacker would have to do (if they were going to attack the system by guessing).


Anonymous said...

we usually consider differing error messages an issue because an attacker could then enumerate usernames. Especially useful if it's email addresses instead as usernames.