On Mar 11, 2011, at 1:33 PM, artemy tregubenko wrote: > I'm quoting first message in thread: > > "I want to emphasize once more that when username/password combination is > wrong, message should be about wrong credentials. But when username/password > combination is correct, message should be about permissions." > > Bruteforcing isn't related to desired behavior in any way.
Almost by definition, in a brute force attack you don't know any valid credentials. The purpose of the attack is to discover valid ones. If I'm a smart attacker, I will pay attention to the error message I get back from my failed login attempts. If I'm attacking an admin login page and I get told "You don't have permissions to log into the admin page" or "Use a valid admin account" then I know that I very likely have discovered a valid username and password for logging into the non-admin part of the site, which is a breach of security. I will now go login as this user and begin seeing what sorts of holes are available to me from there. How is this fundamentally any different from a message that says "Wrong password for that username?" Are you advocating that it's better design to tell brute force attackers whenever they hit upon a valid username, because its clearer to valid users what the error is? As for the error confusing valid users, I fail to see the issue. Users should know already whether they are admins on a site or not, that shouldn't be something they need to discover for themselves. Walter -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.