When attempting to login to the game, the login form will tell you specifically if your username or password is wrong. It should be changed to be more vague. An attacker could attempt to find valid usernames by trying different usernames until "Invalid Password" error appears instead of "Invalid username."
Suggestion:
Change the error message to be a generic "Username or password is incorrect." or "Invalid credentials entered.", etc.
Login Page gives too much information
Re: Login Page gives too much information
I think that part is just stock PHPBB code with no possibility to customize, although maybe there is a PHPBB plugin somewhere that hacks into that part. But in terms of security the less plugins the better, so...
My characters (sorted by IDs): Badziew, Tiger Fist, Pilgrim, Sentient Spellbook, a trojan cat.
Check my wiki profile for more information, including contact information.
Check my wiki profile for more information, including contact information.
Re: Login Page gives too much information
I don't think this one should be that hard to change to something less specific. Testing a fix seems to work on dev server so far.
"Hey, don't talk about bacon." - Frank Lapidus
-
SaltedSalmon
- Posts: 301
- Joined: Wed Nov 24, 2021 2:49 am
Re: Login Page gives too much information
I tested this with my username and wrong password, and with a random username and something as password.Has this been implemented? It has been a while.
It hasn't been implemented.
A Parrot with a Blade - Melee/Touchcaster Holy Champion || GrayScimitar - Heavy Sword Tlac IB || RustyWire - Gunwiz
Re: Login Page gives too much information
I believe this was updated in the latest game update. Thank you for the reminder!
"Hey, don't talk about bacon." - Frank Lapidus
Re: Login Page gives too much information
Seems to be working now, lovely
A Parrot with a Blade - Melee/Touchcaster Holy Champion || GrayScimitar - Heavy Sword Tlac IB || RustyWire - Gunwiz