Hofmaimaier@feddit.org to Programmer Humor@programming.dev · 27 days agoThe mist of the wwwfeddit.orgimagemessage-square15fedilinkarrow-up13arrow-down11
arrow-up12arrow-down1imageThe mist of the wwwfeddit.orgHofmaimaier@feddit.org to Programmer Humor@programming.dev · 27 days agomessage-square15fedilink
minus-squarerizzothesmall@sh.itjust.workslinkfedilinkarrow-up0·edit-227 days agoBeing able to determine if a username is valid without a valid password is a security flaw Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
minus-squarecactusupyourbutt@lemmy.worldlinkfedilinkarrow-up2·26 days agoI keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
minus-squaremeekah@discuss.tchncs.delinkfedilinkarrow-up1·26 days agoI’d assume the spam protection for signing up is a lot tighter than the one for logging in
minus-squaremarius@feddit.orglinkfedilinkarrow-up0arrow-down1·26 days agoThere are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
minus-squarepsud@aussie.zonelinkfedilinkEnglisharrow-up1·21 days agoMany of those will progress to password even if the user doesn’t exist
minus-squaredbx12@programming.devlinkfedilinkarrow-up0·25 days agoAnd this fucks with password managers as they usually expect both fields on the same page.
minus-squareThe Ramen Dutchman@ttrpg.networklinkfedilinkarrow-up1·3 days agoWhich ones? Both Keeper and KeepassXC will work just fine with it and the latter is FOSS.
Being able to determine if a username is valid without a valid password is a security flaw
Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration
I keep hearing that, yet the websites will gladly tell you that the username is taken when trying to register
I’d assume the spam protection for signing up is a lot tighter than the one for logging in
There are also a lot of websites where you first just enter a username and only when that is valid they ask for a password
Many of those will progress to password even if the user doesn’t exist
And this fucks with password managers as they usually expect both fields on the same page.
Which ones? Both Keeper and KeepassXC will work just fine with it and the latter is FOSS.