https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21311
M. Tompsett <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |It is good security release notes| |practice to not provide | |details which could confirm | |or deny the existence of an | |account. Previously, the | |simple "This account has | |been locked!" confirmed its | |existence which would only | |encourage more attacks by | |hackers. | | | |To prevent aiding | |malicious attacks, the | |message has been changed to | |something that does not | |expressly state the account | |has been locked. It only | |mentions that accounts will | |be locked after a number of | |failed attempts, instead of | |saying whether it is locked | |or not. | | | |So while a | |successful attempt will | |seem to have an invalid | |username or password | |suggestion after the | |account is locked, users | |should be reminded that | |they can always reset their | |password or contact library | |staff for help. --- Comment #29 from M. Tompsett <[email protected]> --- I attempted to write something. Feel free to change it, if it is unclear, too long, or insufficient. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
