undefined | Better HN

0 pointszmmmmm13y ago0 comments

> The clarified login error message finding is way more interesting than the vague platitudes on branding and security

The part about security isn't platitudes. Not displaying informative messages in response to failed logins is a security orthodoxy, something you are almost always told is a compulsary practise if you care about security. So a very key part of the story here is that they abandoned this standard security practise as a tradeoff in favor of usability. Whether this ever bites them or to what extent is something we may never know the answer to. So we have been told the good outcome of their tradeoff and not the bad side. It sounds to me like it was worth it, but I wouldn't like every web service to jump on this uncritically.

0 comments

yahelc13y ago

Sorry, I meant the security of relying on the services in general, not of exposing that someone has an account with you. Obviously, that's a serious security consideration, and each service should weigh the costs and the benefits.

In this case, it seems like they are already exposing it with the account checker, so making this change didn't open up any new vulnerabilities.

j / k navigate · click thread line to collapse

0 pointszmmmmm13y ago0 comments

> The clarified login error message finding is way more interesting than the vague platitudes on branding and security

0 comments

yahelc13y ago

In this case, it seems like they are already exposing it with the account checker, so making this change didn't open up any new vulnerabilities.

j / k navigate · click thread line to collapse