undefined | Better HN

0 pointsmindcrime10y ago0 comments

Regarding #1, telling the user that their login failed doesn't eliminate their ability to enumerate existing usernames. All they have to do instead is attempt to register a new account with the username they're testing. At some point, the site will have to tell them that the username already exists.

Agreed, but I would lean towards giving the bad guys as few tools as possible. If you require a captcha to register, and if you limit the number of registration attempts, you can also cut down on that channel.

That's not to say that this stuff is the be all / end all of course. It would probably be better to eliminate username/password combos altogether and do everything with keypairs, but until that day comes...

0 comments

shkkmo10y ago

Except you aren't really limiting the tools available to the bad guys, you are just making the UX worse. I find this 'best practice' annoying design and doubt that it has mitigated any attacks.

j / k navigate · click thread line to collapse

0 pointsmindcrime10y ago0 comments

0 comments

shkkmo10y ago

Except you aren't really limiting the tools available to the bad guys, you are just making the UX worse. I find this 'best practice' annoying design and doubt that it has mitigated any attacks.

j / k navigate · click thread line to collapse