Security Flaw
Issue #218
wontfix
When entering a username and password, if an incorrect username is entered it will respond: "Username doesn't exist" Where as entering an incorrect password will respond: "Password incorrect."
This creates a security concern as a malicious user attempting to gain access to accounts not their own, will be able to confirm the usernames of accounts they wish to target. From there they can simply brute force/leaked password list/etc their way into an account.
Solution: Any incorrect login details should give a generic response, such as "Username/Password is Incorrect."
Comments (3)
-
repo owner
-
While it is technically less secure, the chances of it mattering is so low, I wouldn't be concerned. If you're using a secure password, there shouldn't really be any concern. It's less dangerous than someone over your shoulder seeing you log in, since they get your username AND your password length.
Considering you were possibly moving to SSO-only login eventually anyway, I don't think it's really that important and not really worth the time.
-
repo owner
- changed status to wontfix
- Log in to comment
Pretty hard to brute force the login when there is protection - 3 failed attempts of any kind and you have to wait 30 seconds, and it will continue to delay you 30 seconds for every consecutive attempt after. Hell if you even think about jumping the gun and trying again before your 30 second delay, it delays you again for a fresh 30 seconds.
I made the brute force detection pretty aggressive to give users a more friendly response.
But I will change it if others agree with your concerns.