cm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 1 month agoUh oh, somebody's not following best practices, that's a paddlinlemmy.worldimagemessage-square81linkfedilinkarrow-up1535arrow-down120
arrow-up1515arrow-down1imageUh oh, somebody's not following best practices, that's a paddlinlemmy.worldcm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 1 month agomessage-square81linkfedilink
minus-squareVigge93@lemmy.worldlinkfedilinkarrow-up11·1 month agoThat would be an extremely bad idea tho, because it would allow a malicious attacker to Try random usernames, and if the website returns a hash they know that user exists Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server Username/password validation should happen entirely server-side, with as little information as possible provided to the client
minus-squareaesthelete@lemmy.worldlinkfedilinkarrow-up3·1 month ago Username/password validation should happen entirely server-side, with as little information as possible provided to the client 💯 It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.