Login problems

tedjamestedjames Scruffy-looking nerfherdrMember Posts: 1,163 ■■■■■■■■□□
I mis-typed my password while logging in and received the following error:

"The password you entered was incorrect. Remember that passwords are case sensitive."

This tells an attacker that the user name is correct. So they have half of the equation. Can someone change the error message to something more generic?

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    You are assuming the user name is correct but it does not explicitly indicate that in the error message. Have you tried entering a user name that does not exist, such as tedjames123, to see what the resulting error message is?
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,163 ■■■■■■■■□□
    Yep, you are correct. I should've tried that before posting.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    So our login error message is actually a countermeasure to mis-direct an attacker into an inefficient course of action--BRILLIANT!   ;)
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
    I'm confused, isn't your username publicly displayed in your post and in your your profile anyways?


    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    There are multiple possible identities in the login credentials, including member name, email address, or federated authentication via LinkedIn, Google, Facebook, etc. It is generally assumed that the identity factor in authentication credentials is not secret and may even be publicly known.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,163 ■■■■■■■■□□
    iBrokeIT said:
    I'm confused, isn't your username publicly displayed in your post and in your your profile anyways?



    You are correct. User names in forums are almost never protected, though I'm sure some are. Really, the worst anyone can do if they break into your account (besides change your password) is to post in your name. They could of course destroy your reputation.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    tedjames said:

    They could of course destroy your reputation.

    Destroy your reputation on TE? I'm sure any anomalous posting behavior from a contributing member would be quickly suspected as a member account breach and dealt with swiftly by the admins.  :)
  • WhiteMilkWhiteMilk Member Posts: 24 ■■■□□□□□□□
    edited August 13
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    That was the previous www.techexams.net site. There was no information on the old TE site (financial, PII, healthcare, etc.) that was worth protecting using HTTPS.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    cyber_security said:
    It makes users feel comfortable login in to a page with no HTTPS  not a good thing and also no one ever reuses passwords do they. 

    It is possible to securely login to a site that is not HTTPS. The site's authentication system and HTTPS are two different things.


    cyber_security said:
    I think it was a good thing in a way though as it showed the attitude of the owners and mods of the forum that no one cared enough to spend a few dollars and sort it out.

    Cost is not the reason that HTTPS was not used by the old TE. 


    cyber_security said:
    An IT forum that could not do good security but argue why it was not needed or block anyone that mentioned it probably went some way to the forum going down hill like it did.

    The lack of HTTPS, or any security issue, is not the reason the old TE languished in leadership for two-plus years.

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,892 Admin
    cyber_security said:
    You really trying to argue there was no issue with not using HTTPS on the old forum.  Stop being silly.

    There were never any functional issues with HTTP-only connectivity on the old TE. There were never any HTTP-only-related security issues experienced by the site or membership of old TE either. The (strongly) suggested use of HTTPS is Google's attempt to protect its AdSense revenue from being sniffed by ISPs--such as the ISP used by old TE was likely doing--and nothing more. I have yet to see any published proof that the wide-spread adoption of HTTPS has significantly improved Internet data transit security.

    If all you have to gripe about the old TE is the lack of transit encryption for publicly-available content then are wasting your short life in useless rumination on a public forum.
Sign In or Register to comment.