https://www.google.com/accounts/ServiceLogin?service=pages&continue=http%3A%2F%2Fpages.google.com%3A80%2F
On Sat, 14 May 2005 20:29:03 -0700 Steve Langasek <[EMAIL PROTECTED]> wrote: > On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote: > > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote: > > > > I also think it would be really "cool"(TM) if the system could display > > > > a message "password expired" or "account is locked" if the user > > > > successfully authenticates to the system but is unable to authorize > > > > the user to use the system. This saves the user wondering "did I use > > > > the correct password?", "Did I enter it in correctly?", etc. > > > > This leaks information to attackers about the state of the account. > > > Hence "could": I don't consider the fact that an account is expired or > > locked (or exists, for that matter) to be sensitive information, for > > my uses, and would much prefer to give proper error messages. People > > with different security needs/philosophies use different policies ... > > The trouble with doing this, in PAM-based systems, is that authentication > precedes authorization; so any message that informs the user that the > account is not authorized (i.e., it's expired or locked) also informs the > attacker that authentication succeeded. > > So, it's not just information about the account state that's being leaked; > you're also leaking authentication tokens. > > -- > Steve Langasek > postmodern programmer > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]