Login problems

I mis-typed my password while logging in and received the following error:

"The password you entered was incorrect. Remember that passwords are case sensitive."

This tells an attacker that the user name is correct. So they have half of the equation. Can someone change the error message to something more generic?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

JDMurray

You are assuming the user name is correct but it does not explicitly indicate that in the error message. Have you tried entering a user name that does not exist, such as tedjames123, to see what the resulting error message is?

tedjames

Yep, you are correct. I should've tried that before posting.

JDMurray

So our login error message is actually a countermeasure to mis-direct an attacker into an inefficient course of action--BRILLIANT!

iBrokeIT

I'm confused, isn't your username publicly displayed in your post and in your your profile anyways?

Image: https://us.v-cdn.net/6030959/uploads/editor/g7/2vq2nu00fpsc.png

JDMurray

There are multiple possible identities in the login credentials, including member name, email address, or federated authentication via LinkedIn, Google, Facebook, etc. It is generally assumed that the identity factor in authentication credentials is not secret and may even be publicly known.

tedjames

iBrokeIT said:

I'm confused, isn't your username publicly displayed in your post and in your your profile anyways?

You are correct. User names in forums are almost never protected, though I'm sure some are. Really, the worst anyone can do if they break into your account (besides change your password) is to post in your name. They could of course destroy your reputation.

JDMurray

tedjames said:

They could of course destroy your reputation.

Destroy your reputation on TE? I'm sure any anomalous posting behavior from a contributing member would be quickly suspected as a member account breach and dealt with swiftly by the admins.

WhiteMilk

Score:
2 - 0

2 - @JDMurray

0 - @TedJames

unknown

This content has been removed.

JDMurray

That was the previous www.techexams.net site. There was no information on the old TE site (financial, PII, healthcare, etc.) that was worth protecting using HTTPS.

unknown

This content has been removed.

JDMurray

cyber_security said:
It makes users feel comfortable login in to a page with no HTTPS not a good thing and also no one ever reuses passwords do they.

It is possible to securely login to a site that is not HTTPS. The site's authentication system and HTTPS are two different things.

cyber_security said:
I think it was a good thing in a way though as it showed the attitude of the owners and mods of the forum that no one cared enough to spend a few dollars and sort it out.

Cost is not the reason that HTTPS was not used by the old TE.

cyber_security said:
An IT forum that could not do good security but argue why it was not needed or block anyone that mentioned it probably went some way to the forum going down hill like it did.

The lack of HTTPS, or any security issue, is not the reason the old TE languished in leadership for two-plus years.

unknown

This content has been removed.

JDMurray

cyber_security said:
You really trying to argue there was no issue with not using HTTPS on the old forum. Stop being silly.

There were never any functional issues with HTTP-only connectivity on the old TE. There were never any HTTP-only-related security issues experienced by the site or membership of old TE either. The (strongly) suggested use of HTTPS is Google's attempt to protect its AdSense revenue from being sniffed by ISPs--such as the ISP used by old TE was likely doing--and nothing more. I have yet to see any published proof that the wide-spread adoption of HTTPS has significantly improved Internet data transit security.

If all you have to gripe about the old TE is the lack of transit encryption for publicly-available content then are wasting your short life in useless rumination on a public forum.

unknown

This content has been removed.

bhiter010

refresh cache and cookies?