Hacker News new | past | comments | ask | show | jobs | submit login

> bots with targeted email could scan for site accounts

Indeed. A good login form will give away nothing about whether or not the attempt failed because the username doesn't exist or because the password was wrong, or anything that leaks to a malicious party information. There's always a balance between security and convenience, and where that balance lies is determined by your threat model. It's almost universally an anti-pattern to respond in a way that lets a potential attacker that they've found a valid username for your site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: