• RLB (unregistered)

    It is a pretty basic tenet of login security that you never tell a would-be cracker which of user name and password he got wrong, so this code is correct. The message could be better, but the principle is correct: a failed log-in is a failed log-in, and the would-be user should never get a clue as to why.

  • 516052 (unregistered)

    When it comes to working in a corporate setting you quickly learn that, much as in a civil war, being right is far less important than not been seen being wrong.

  • (author) in reply to RLB

    Though in this case, it's not that authentication failed- it's that it was never attempted because the function doing it was called incorrectly.

  • (nodebb)

    So ... Excellence in programming?

  • (nodebb) in reply to RLB

    It is a pretty basic tenet of login security that you never tell a would-be cracker which of user name and password he got wrong, so this code is correct. The message could be better, but the principle is correct: a failed log-in is a failed log-in, and the would-be user should never get a clue as to why.

    I totally agree. But here, the message about the password should not be that the password is incorrect (which can indicate to a hacker that the username is correct) -- it should be that a password is required. And the response for a bad login should be "Invalid login" with no indication whether it is the username or the password that is not found in the authentication store.

    (And yes, I'm quite sure there's somebody out there who, in addition to validating the supplied password against the supplied username will check to see if the password hash exists and throw a "right password wrong username" message.)

  • Tim (unregistered) in reply to Bananafish

    (And yes, I'm quite sure there's somebody out there who, in addition to validating the supplied password against the supplied username will check to see if the password hash exists and throw a "right password wrong username" message.)

    better still, how about "password character 4 is correct; characters 3 and 7 are correct but in the wrong position" ;-)

  • Scragar (unregistered)

    Optional required fields.

    Because of course someone would create that in PHP, why wouldn't you.

    It fits right in with the type safe automatic type cohersion.

  • (nodebb)

    It's already been invented. How many times have you encountered the error "An error has occurred"?

  • (nodebb) in reply to Tim

    Ok, then, I will enter "green, red, red, white, blue"

  • MRAB (unregistered) in reply to Bananafish

    Could it instead complain about the password even if there's no such username? A hacker would then be wasting time on a dead end, thinking they have a valid username!

  • Loren Pechtel (unregistered)

    @RLB Yeah, you don't tell the user what was invalid. But it is perfectly acceptable to tell the user they failed to fill in something. Acceptable results here are username required/password required/username and password required/credentials not found/internal problem/success. (Don't tell me my credentials are wrong when the actual problem was a backend system not responding!)

  • (nodebb)

    More importantly, if it's possible to supply neither of username and password, the resulting error should mention both problems. As it is, even if the password error had the correct message, the developer experience is that you're told "you need to provide a username", so you fix your code, try again, and then get an error "you also need a password lol" error that you could have got the first time as well.

    This is especially annoying when you're passing in a rich data structure and the actual error is that you put username and password (say) at the wrong level. If the error says "You should have given me fields foo, bar and baz" and you did specify all of them, that gives you a chance to look at the documentation again and realise your mistake.

  • (nodebb) in reply to Tim

    Passwordle!

  • xtal256 (unregistered)

    " I could make every exception message be "username is required", and it wouldn't be wrong."

    I mean, most errors you see these days are all just "Oops, something went wrong!", so having them all be "username is required" instead wouldn't be that much of a difference.

  • richarson (unregistered)

    @RLB and others: while you're right about not telling which one failed to the user, we're talking logs here, right? Otherwise Remy's mention of debugging the app (1) wouldn't make much sense.

    I mean, I hope the exceptions get logged where only the admins can see it and not shown in the user's screen...

    (1): "...but the absolute disaster that debugging issues with this function could easily become"

  • A Human (unregistered) in reply to Balor64

    I can feel an r/baduibattles post incoming

  • 516052 (unregistered)

    I sincerely wonder how much difference any of that even makes. Any serious hacking attempt these days will either be hacking the person rather than the system or using some sort of automated mechanism that won't care about the error messages. And any serious system will have lockouts such as a limit on login attempts that make guesswork impractical. So all this frankly looks like security theater.

  • RLB (unregistered) in reply to 516052

    Sometimes, it is worth something to an attacker to know that a certain account is present in the system, even if he can't get in. There is more to security than mere technical security. (For one, knowing that your "hacking this person" is worth the trouble.)

  • (nodebb) in reply to RLB

    Unfortunately it's impossible to avoid nowadays for systems that allow different ways of entering your credentials, configured per-user. Such as Microsoft accounts, which must accept your login first before asking for your password, passkey, left buttcheek tattoo or whatever.

  • (nodebb) in reply to Tim

    better still, how about "password character 4 is correct; characters 3 and 7 are correct but in the wrong position" ;-)

    Is this how Joshua was able to get the launch code one digit at a time?

  • Cmdr Javik (unregistered)

    You primitives are missing a point. If a function argument is REQUIRED then you don't provide a DEFAULT VALUE. You let the caller crash and burn -- your function ignites their ship eezo drive core and slams them into a mearest supernova.

  • Officer Johnny Holzkopf (unregistered) in reply to n9ds

    Error message: Oops! Your PC did something wrong. Please try again later.

  • PedanticRobot (unregistered)

    If a user is calling this method, then you're already in a world of trouble that error message specifics won't solve.

Leave a comment on “Required Fields”

Log In or post as a guest

Replying to comment #700898:

« Return to Article