On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins <emperorce...@gmail.com> wrote: > +1 on making the error say more than incorrect username/password. That > is confusing. In regards to leaking information about the user. The > error message in general could be changed to something like this, of > course with better wording: > > "Username and password incorrect or access to this page restricted". > > The current status is that we are telling the user something this is > incorrect. I've actually run into this situation before where I had a > user reset their password a few times before coming to me.
+1 on this suggestion. This has no security implications and is clearly an improvement over the existing message. -1 on the idea of having two separate messages. It gives away information, and regardless of whether that information is useful to an attacker, we should not be trying to predict that. We can't envision all possible scenarios, so we should just assume that the information *is* useful and avoid doing that. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
