Forums › English Language Forums › General › Suggestions

Search

"Invalid Username or Password"

8 replies [Last post]
Fri, 07/20/2012 - 16:11
Cornu's picture
Cornu

The login for the game differentiates between whether the username is wrong or the password is wrong.

When you type in a username that is incorrect, it will say "No such username." If a username exists and you have the password wrong, it will say "Password incorrect."

Come on guys, that's a security risk and you should know better! Keeping it this way "would make it easy for an attacker to find out which usernames are valid in the system and concentrate brute force attacks against them. Keeping the message ambiguous is good security practice."¹

Just change it to "incorrect username or password."

Fri, 07/20/2012 - 16:18
#1
Luguiru's picture
Luguiru
Why is it invalid

If you know your own username and password you should be able to tell which is wrong.

Fri, 07/20/2012 - 16:21
#2
Cornu's picture
Cornu
@Luguiru

That's what I'm saying, the game login currently differentiates between incorrect usernames and incorrect passwords, which is a security risk.

Fri, 07/20/2012 - 16:26
#3
Little-Juances's picture
Little-Juances
~

"would make it easy for an attacker to find out which usernames are valid in the system and concentrate brute force attacks against them"

Guessing usernames is easier than you think, just try to create a new account. It'll probably say "x name is already in use".
Works almost everywhere :p

Risk you say? just a small delay for any real h4x0r.

Fri, 07/20/2012 - 16:26
#4
Luguiru's picture
Luguiru
"It already does that"

I thought you were suggesting that it should tell you which is wrong.

You were right the first time, then.

I have a headache.

Too many stupid posts today.

I need to shower in some glue.

Fri, 07/20/2012 - 16:30
#5
Cornu's picture
Cornu
@Little

It still takes much longer than typing a random username into the game and having it spit back at you which is valid.
It's just common programming practice guys.

Fri, 07/20/2012 - 16:39
#6
Lightyourfire's picture
Lightyourfire
@Luguiru

Too many stupid posts you say, get ready for more!!!!

http://forums.spiralknights.com/en/node/60279

Fri, 07/20/2012 - 16:47
#7
Little-Juances's picture
Little-Juances
~

wait wait. Even better, the game wiki shows usernames publicly instead of being linked to knights like the forums.

So hackers already have some information served. Thats a bigger hole to cover first.

Sat, 07/21/2012 - 14:46
#8
Cornu's picture
Cornu
@Little

For real?
Wow, that's messed up.
Fix this you guys :<

Powered by Drupal, an open source content management system