Re: [hackers] [ubase][PATCH] login: obfuscate non-existent users

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: ilmich <ardutu_AT_gmail.com>
Date: Mon, 3 Dec 2018 16:27:49 +0100

> If you want to fake a real user why don't you check the password as well ?
> For instance:
> if (pw_check(pw, pass) <= 0 || fakelogin)

For fake login I mean a process that only ask a password also for non
existent users. My patch is to avoid that an attacker can easily have
knowledge of my system by reading on screen that, for example, user
mysql doesn't exists.
So I think that there is no reason to real check for a non existent password .
Received on Mon Dec 03 2018 - 16:27:49 CET

This archive was generated by hypermail 2.3.0 : Mon Dec 03 2018 - 16:36:21 CET