On why telling users if it is the username or password that is incorrect they sa... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

cyphunk on July 1, 2014 | parent | context | favorite | on: Social Login Buttons Aren't Worth It (2012)

On why telling users if it is the username or password that is incorrect they say...

    But after some further consideration, we decided that it
    was a false risk, as the username reminder form already
    tells you if a username exists, and is not a significant
    security risk for the bajilions of sites that have them.

Oh, damn i didn't realize bajilions of sites do this and yet are so secure. Next time, a better response i hope: "but instead we decided allow for error differentiation while also increasing the controls on the number of failed logins allowed and alerts to security staff in such cases."

<pulls out brute force scripts>

PS. just never let anyone from marketing, design or management discuss your security publicly without review.

eloisant on July 2, 2014 | [–]

Well, if they show a captcha after 5 missed attempts your brute force scripts won't go far.

woah on July 2, 2014 | [–]

Yea, it was pretty terrible how they got hacked after this article.

pureyang on July 2, 2014 | [–]

source?

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact