cm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 4 months agoUh oh, somebody's not following best practices, that's a paddlinlemmy.worldimagemessage-square83linkfedilinkarrow-up1547arrow-down120
arrow-up1527arrow-down1imageUh oh, somebody's not following best practices, that's a paddlinlemmy.worldcm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 4 months agomessage-square83linkfedilink
minus-squareVigge93@lemmy.worldlinkfedilinkarrow-up11·4 months agoThat would be an extremely bad idea tho, because it would allow a malicious attacker to Try random usernames, and if the website returns a hash they know that user exists Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server Username/password validation should happen entirely server-side, with as little information as possible provided to the client
minus-squareaesthelete@lemmy.worldlinkfedilinkarrow-up3·4 months ago Username/password validation should happen entirely server-side, with as little information as possible provided to the client 💯 It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.