Tuesday, December 10, 2013

That's my username

found on memebase

Normally the only one of those you can't actually see is your password, which means you should be able to tell if it's your username that's wrong. That is unless you've forgotten your username and are trying to guess it, but usually the people trying to guess that sort of thing aren't the real account holders and helping them make better guesses kinda makes security worse.


Anonymous said...

But if you have a specific error message saying that the username entered is incorrect, you open the application up to username enumeration.

kurt wismer said...

precisely. it gives them more information, which makes it easier for them to guess a set of valid credentials, which is something we don't want. that's why we don't tell people which credential is invalid - if you're a legit account holder you should be able to tell from what's on the screen, and if you're not a legit account holder we don't want to help you.