[wp-hackers] WordPress can "leak" if a username is valid

[Otto]

Hasn't this been covered before?

http://trac.wordpress.org/ticket/3708
http://trac.wordpress.org/ticket/4290

Both are wontfix's, and I agree with the reasoning. Knowing if the
username is valid or not is not a security flaw. Security comes from
the system actually being secure, not whether or not somebody can work
out the usernames.

I mean, okay, I understand it in the case of other utilities. Look at
the old SSH documents, and yeah, a username leak makes it that much
easier to run a brute force attack. But this is not SSH. This is a
webpage with a login form. The same solutions should not instantly
apply just because that's what people think of as 'secure'.

What's the potential for harm here? What can somebody do knowing that
the username is wrong or the password is wrong? Brute force attack? If
we want to protect against brute force attacks, hiding the usernames
isn't the right way to do it. The right way there would be to
recognize rapid repeated failures to login from the same IP and block
that IP for a period of time.

I vote for closing #5301 as wontfix *unless* somebody changes the
thing to actually point to a potential exploit and not some
theoretical "you can't know the username" security-theater idea.

-Otto

On Feb 18, 2008 2:36 PM, Alex Hempton-Smith <hempsworth at googlemail.com> wrote:
> Sorry if this has already been discussed before, but I was just looking
> through the open tickets and saw this one:
> http://trac.wordpress.org/ticket/5301
>
> It was suggested in one of the closed duplicate tickets that this issue be
> discussed on wp-hackers to find out the general consensus.
> I'd personally like to see this go into the core, what do you guys think?
>
> Alex
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>