Nexus Clash

When attempting to login to the game, the login form will tell you specifically if your username or password is wrong. It should be changed to be more vague. An attacker could attempt to find valid usernames by trying different usernames until "Invalid Password" error appears instead of "Invalid username."

Suggestion:
Change the error message to be a generic "Username or password is incorrect." or "Invalid credentials entered.", etc.

I think that part is just stock PHPBB code with no possibility to customize, although maybe there is a PHPBB plugin somewhere that hacks into that part. But in terms of security the less plugins the better, so...

I don't think this one should be that hard to change to something less specific. Testing a fix seems to work on dev server so far.

plscks wrote: ↑Thu Nov 25, 2021 7:42 pm I don't think this one should be that hard to change to something less specific. Testing a fix seems to work on dev server so far.

Has this been implemented? It has been a while.

Has this been implemented? It has been a while.

I tested this with my username and wrong password, and with a random username and something as password.
It hasn't been implemented.

Goliath wrote: ↑Sat Feb 26, 2022 12:42 pm

Has this been implemented? It has been a while.

I tested this with my username and wrong password, and with a random username and something as password.
It hasn't been implemented.

I believe this was updated in the latest game update. Thank you for the reminder!

Seems to be working now, lovely