On 2010-10-02 (275), at 19:10, Jerry Leichter wrote:

On Oct 1, 2010, at 11:34 PM, Richard Outerbridge wrote:


By the way, the "don't acknowledge whether it was the login ID or the password that was wrong" example is one of those things "everyone knows" - along with "change your password frequently" - that have long passed their "use by" date. Just what attack on a modern system does revealing that a guessed login ID is correct actually allow? It can only be used in on-line attacks, and it's been years since any decent system didn't protect against high rates of failures in on-line authentication. Besides, valid - or highly- probably-valid - login ID's are typically cheaply available for most systems anyway.

I said it was old :) but it's still as true now as a use-case as it was way back then, in its time.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to