Sam <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] writes:
>
>> Anyhow, I realize that giving information "up front" on working
>> usernames on the system is probably at least a small security risk,
>> so I'd rather not do that,
>
>I've yet to see anyone make a cogent argument for this, instead of
>accepting it as a given.
It's pretty obvious. Given two systems, one that advertises users and
one that doesn't, and an infinite supply of kiddie krackers doing
brute-force searches for accounts with easy-to-guess passwords, the
system that advertises usernames will be broken into first, on
average, because the crackers will waste less time trying to break
into nonexistent accounts.
-Dave
