You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 8, 2020. It is now read-only.
For security reasons we have to lie to the user on login. If a user enters the wrong username or password the backend should return 404 or 401 in both cases. If the user has 2FA set upped, the "Enter your 2FA code" (or something) should be prompted and then, If the code is right or not, the message "Wrong password or username" is showing up.
The reason for this is because a hacker would not now If the data he put in is right or not. Currently it's user-friendly, but bad security practice.
The text was updated successfully, but these errors were encountered:
2FA is not set up and will not within the next releases.
But yes, it's perfectly normal to just send a "404", regardless of if an user exists or the entered password is wrong :)
ghost
changed the title
Lie on login
Send 404 on wrong password and non-existing username
Mar 17, 2019
ghost
changed the title
Send 404 on wrong password and non-existing username
Send 404 on wrong password and/or non-existing username
Apr 16, 2019
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
For security reasons we have to lie to the user on login. If a user enters the wrong username or password the backend should return
404
or401
in both cases. If the user has 2FA set upped, the "Enter your 2FA code" (or something) should be prompted and then, If the code is right or not, the message "Wrong password or username" is showing up.The reason for this is because a hacker would not now If the data he put in is right or not. Currently it's user-friendly, but bad security practice.
The text was updated successfully, but these errors were encountered: