• RLB (unregistered)

    It is a pretty basic tenet of login security that you never tell a would-be cracker which of user name and password he got wrong, so this code is correct. The message could be better, but the principle is correct: a failed log-in is a failed log-in, and the would-be user should never get a clue as to why.

  • 516052 (unregistered)

    When it comes to working in a corporate setting you quickly learn that, much as in a civil war, being right is far less important than not been seen being wrong.

  • (author) in reply to RLB

    Though in this case, it's not that authentication failed- it's that it was never attempted because the function doing it was called incorrectly.

  • (nodebb)

    So ... Excellence in programming?

  • (nodebb) in reply to RLB

    It is a pretty basic tenet of login security that you never tell a would-be cracker which of user name and password he got wrong, so this code is correct. The message could be better, but the principle is correct: a failed log-in is a failed log-in, and the would-be user should never get a clue as to why.

    I totally agree. But here, the message about the password should not be that the password is incorrect (which can indicate to a hacker that the username is correct) -- it should be that a password is required. And the response for a bad login should be "Invalid login" with no indication whether it is the username or the password that is not found in the authentication store.

    (And yes, I'm quite sure there's somebody out there who, in addition to validating the supplied password against the supplied username will check to see if the password hash exists and throw a "right password wrong username" message.)

Leave a comment on “Required Fields”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article