Travis Jeffery, writing for HackerNoon: There’s a security best practice where sign ins aren’t supposed to say “password is incorrect.” Instead they’re supposed to say the “username or password is incorrect.” This “best practice” is bullshit. Stripe’s and GitHub’s sign ins for example follow this practice. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Here’s the problem. All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the “username or password is incorrect” sign in. You gain no security, yet your customers lose clarity. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times and likely won’t ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.
Read more of this story at Slashdot.