Security Myth: Generic Login Error

Check out this post from Jay Fields Thoughts:

Here's where I have an issue. Maybe I can't find out from the login screen what is a valid username and what isn't, but it only takes me a click to get to a screen that tells me what a valid username is. Do we really believe that a hacker is going to give up on the login screen and not just hit the "forgot password" link like I do? I

(from: Security Myth: Generic Login Error)

Yay. This has been bothering me forever but I just didn't have the time to blog about it. I totally agree.

While we are at it, the other annoyance is this. If a site requires my password to have at least 6 characters with one numeral, please put that little hint right under the password box. With all the different passwords I have to enter in different places with different rules, it will save me a lot of grief, and this one also does not add any security concern. After all, the hacker could just request a new account and see what the password requirements are.

Thanks Jay!.

Posted on September 5, 2007 and filed under Technology.