You and I understand that, but that doesn't make it any more valid to return more specific login error related information.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#User_IDs If we want to pass security checks for 'owasp' then we have to have generic messages for login failures. Boneheaded as it may be, it's what people expect secure software to do. On Thursday, September 11, 2014 1:49:36 PM UTC-7, Mark Li wrote: > > Looking through the source for auth.login(), it seems that the same > "invalid login" error is given no matter what the particular error is > (either username/email, or the password is wrong). > > I wanted to know if it is possible to return a more specific error msg > after a failed login. If I use username and password as my login inputs, > then I want to know the cause of a failed login: > 1. Is the username in the database? > 2. Is the password correct for that username? > > MailChimp did a brief write-up about this: > http://blog.mailchimp.com/social-login-buttons-arent-worth-it/, where > giving users a specific error msg had a very big impact on reducing login > failure rates. They also addressed the security issue of being vague for > login failure errors; it was determined to be a false risk. You can find > out whether or not a username is taken through the registration form > anyway, so providing a specific error msg on the login page does not tell > you any more information than the registration page. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
