- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It is a pretty basic tenet of login security that you never tell a would-be cracker which of user name and password he got wrong, so this code is correct. The message could be better, but the principle is correct: a failed log-in is a failed log-in, and the would-be user should never get a clue as to why.
Admin
When it comes to working in a corporate setting you quickly learn that, much as in a civil war, being right is far less important than not been seen being wrong.
Edit Admin
Though in this case, it's not that authentication failed- it's that it was never attempted because the function doing it was called incorrectly.
Edit Admin
So ... Excellence in programming?
Edit Admin
I totally agree. But here, the message about the password should not be that the password is incorrect (which can indicate to a hacker that the username is correct) -- it should be that a password is required. And the response for a bad login should be "Invalid login" with no indication whether it is the username or the password that is not found in the authentication store.
(And yes, I'm quite sure there's somebody out there who, in addition to validating the supplied password against the supplied username will check to see if the password hash exists and throw a "right password wrong username" message.)
Admin
better still, how about "password character 4 is correct; characters 3 and 7 are correct but in the wrong position" ;-)