tildes

Deimos 25e4207563 Login: show whether username or password was wrong I get a fair number of "forgot password" emails where the person is actually trying to log in with the wrong username. Normally, a login system shouldn't display whether the username or password was the incorrect part, but since it's already public information which usernames exist on Tildes (simply by visiting /user/<username>), this really isn't meaningfully hiding anything. It would only have any effect on the most absolutely naive attackers. I think it's an acceptable trade-off to help out people that are inadvertently trying to log in with the wrong username instead.	5 years ago
..
Bug Report.md	Create bug report issue template	5 years ago

Deimos 25e4207563 Login: show whether username or password was wrong

I get a fair number of "forgot password" emails where the person is
actually trying to log in with the wrong username. Normally, a login
system shouldn't display whether the username or password was the
incorrect part, but since it's already public information which
usernames exist on Tildes (simply by visiting /user/<username>), this
really isn't meaningfully hiding anything. It would only have any effect
on the most absolutely naive attackers. I think it's an acceptable
trade-off to help out people that are inadvertently trying to log in
with the wrong username instead.

5 years ago

Bug Report.md

Create bug report issue template

5 years ago