Hofmaimaier@feddit.org to Programmer Humor@programming.dev · 8 days agoThe mist of the wwwfeddit.orgimagemessage-square26linkfedilinkarrow-up15arrow-down10
arrow-up15arrow-down1imageThe mist of the wwwfeddit.orgHofmaimaier@feddit.org to Programmer Humor@programming.dev · 8 days agomessage-square26linkfedilink
minus-squarerizzothesmall@sh.itjust.workslinkfedilinkarrow-up1·8 days agoBeing able to determine if a username is valid without a valid password is a security flaw Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
minus-squarecactusupyourbutt@lemmy.worldlinkfedilinkarrow-up0·7 days agoI keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
minus-squaremarius@feddit.orglinkfedilinkarrow-up0·7 days agoThere are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
minus-squarepsud@aussie.zonelinkfedilinkEnglisharrow-up1·2 days agoMany of those will progress to password even if the user doesn’t exist
Being able to determine if a username is valid without a valid password is a security flaw
Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
Many of those will progress to password even if the user doesn’t exist