rosenjcb@lemmy.world to Technology@lemmy.worldEnglish · 2 years agoI just made my first Lemmy PRgithub.comexternal-linkmessage-square20fedilinkarrow-up1189arrow-down15file-text
arrow-up1184arrow-down1external-linkI just made my first Lemmy PRgithub.comrosenjcb@lemmy.world to Technology@lemmy.worldEnglish · 2 years agomessage-square20fedilinkfile-text
minus-squareVenator@kbin.sociallinkfedilinkarrow-up18·2 years agoThere should be an error, but it shouldn’t say whether it was the email or password that was wrong.
minus-squareSpzi@lemm.eelinkfedilinkEnglisharrow-up1arrow-down3·edit-22 years agoAn attacker would still know the account exists, and they would know the password did not match. Or you’re assuring them that specific password is used by some account, just not this one. Which is even worse.
minus-squareNull User Object@lemmy.worldlinkfedilinkEnglisharrow-up5·2 years agoRead the comment you’re responding to, again. Nothing about their suggestion leads to either of these scenarios.
minus-squareSpzi@lemm.eelinkfedilinkEnglisharrow-up4·2 years agoRight, I misread “shouldn’t” for “should”.
There should be an error, but it shouldn’t say whether it was the email or password that was wrong.
Fair point!
An attacker would still know the account exists, and they would know the password did not match.Or you’re assuring them that specific password is used by some account, just not this one. Which is even worse.Read the comment you’re responding to, again. Nothing about their suggestion leads to either of these scenarios.
Right, I misread “shouldn’t” for “should”.