[wp-hackers] WordPress can "leak" if a username is valid

Aaron Huran admin at anthologyoi.com
Mon Feb 18 21:18:35 GMT 2008


I agree with both Will and Otto. Security through obscurity is
repeatedly shown to result in laxer passwords and generally more
insecure programs.

>From a user point of view, I use several different emails, or user
names with many different passwords. It can be difficult remember
which exact email/name I used with which password for which website,
and I hate having to try combinations of a username with several
passwords before realizing that I either didn't register with that
username or I didn't register at all.

Even if an attacker knew a person's user name, the amount of time and
tries it would take to brute force it makes it unlikely that it would
pass unnoticed, and if social engineering is used to narrow down the
password choices, something similar can be done to determine the
username.

As I see it, vague error messages have mostly downsides and few, if
any, up sides.

Aaron.


More information about the wp-hackers mailing list