Send 404 on wrong password and/or non-existing username #58

Mondei1 · 2019-03-17T18:10:10Z

For security reasons we have to lie to the user on login. If a user enters the wrong username or password the backend should return 404 or 401 in both cases. If the user has 2FA set upped, the "Enter your 2FA code" (or something) should be prompted and then, If the code is right or not, the message "Wrong password or username" is showing up.

The reason for this is because a hacker would not now If the data he put in is right or not. Currently it's user-friendly, but bad security practice.

The text was updated successfully, but these errors were encountered:

ghost · 2019-03-17T19:04:34Z

2FA is not set up and will not within the next releases.
But yes, it's perfectly normal to just send a "404", regardless of if an user exists or the entered password is wrong :)

Mondei1 added enhancement New feature or request vulnerability Security vulnerability or solution for one labels Mar 17, 2019

Mondei1 added this to the v1.0-RELEASE milestone Mar 17, 2019

ghost changed the title ~~Lie on login~~ Send 404 on wrong password and non-existing username Mar 17, 2019

ghost changed the title ~~Send 404 on wrong password and non-existing username~~ Send 404 on wrong password and/or non-existing username Apr 16, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Send 404 on wrong password and/or non-existing username #58

Send 404 on wrong password and/or non-existing username #58

Mondei1 commented Mar 17, 2019

ghost commented Mar 17, 2019

Send 404 on wrong password and/or non-existing username #58

Send 404 on wrong password and/or non-existing username #58

Comments

Mondei1 commented Mar 17, 2019

ghost commented Mar 17, 2019