Insecure login messages ? 3.3.5

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
4mpb5
Registered User
Posts: 150
Joined: Wed Sep 08, 2021 9:34 pm

Insecure login messages ? 3.3.5

Post by 4mpb5 »

If you enter an incorrect UID, the system says :-
You have specified an incorrect username. Please check your username and try again. If you continue to have problems please contact the Board Administrator.

If you enter an incorrect PW, the system says :-
You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact the Board Administrator.

Are these not insecure messages ? Because most login systems do not say which one of the two parameters is wrong, UID or PW to prevent users from using correct UID and locking up the account by repeated tries with wrong PW or to prevent hackers getting in by guessing the UID

I thought there should only be one message when either UID or PW or both are wrong.

Should it not read :-
You have specified an incorrect and or password. Please check your UID and or PW try again. If you continue to have problems please contact the Board Administrator
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Insecure login messages ? 3.3.5

Post by thecoalman »

You can file bug
4mpb5 wrote: Sat Oct 09, 2021 2:26 pm or to prevent hackers getting in by guessing the UID
My UID is thecoalman.....oops, now the entire world knows. :D It's publicly available knowledge and if someone was trying to gain access to my account they already know what it is. The more precise error information provided to the user is preferable since there is no way to prevent the UID from being known on public forum.

That said your concern would apply on a completely private forum that requires admin activation in which case you should probably be taking other steps outside of phpBB to secure it. You can file bug report if you want.

http://tracker.phpbb.com/
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “phpBB Discussion”