The correct approach is to give a "one size fits all" error message. While security is important, so also is user experience.
On 9/13/11, Adam Jenkins <[email protected]> wrote: > On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen <[email protected]> wrote: >> Hi, thanks for your quick responses! >> >> Flavio, Jan and Florian, it only "gives away information" when an >> attacker guesses both the username and the password right. > > I think this is the correct approach. Give them the access warning on > correct login. It also seems to be the standard way to doing such > things in my experience. > >> >> But if he can guess those right, he could already access the users >> information using the normal login! So giving this message does not >> change the danger. On the other hand, it would prevent lots of >> confusion. > > We really shouldn't be confusing the end user. It's just bad design to do > so. > >> >> But we are repeating arguments here, so could you please read: >> >> http://groups.google.com/group/django-developers/browse_thread/thread/df19241a0b1a04ef >> >> before responding? >> >> Thanks! >> >> Wim >> >> >> On 13 sep, 19:23, Flávio Amieiro <[email protected]> wrote: >>> On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] >>> >>> <[email protected]> wrote: >>> > +1, if the user/pass is entered, that user is entitled so know what its >>> > own >>> > permissions are. >>> > The error should give "You have insufficient access to this page" or >>> > something like that. >>> >>> The thing is: if someone does a brute force attack on '/admin/' and >>> gets this message back, they know there's a user with that >>> login/password in the system. Since brute force attacks using common >>> login/password pairs in this kinds of urls is so common, I think this >>> exposes your user more than necessary. >>> >>> -1 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- Sent from my mobile device -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
