Project

General

Profile

Actions
Copy link

Feature #2569

closed

New login error messages

Added by Alexander Watzinger 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Alexander Watzinger
Category:
Backend
Target version:
8.12.1
Start date:
2025-06-28
Estimated time:
4.00 h

Description

Ferat Aydin from SEC4YOU reported that our login error messages are not confirming to a security guideline because usernames can be found out.

Although I (Alex) am not convinced that the seemingly security improvement justifies sacrificing usability, it was decided in our last developer meeting to follow this guideline.
So in future we won't tell users at login if their username or password was incorrect but instead will give a generic "Invalid user or password" error message.

Actions
Copy link
 #1

Updated by Alexander Watzinger 6 months ago

  • Estimated time set to 4.00 h
  • Status changed from Assigned to In Progress
Actions
Copy link
 #2

Updated by Alexander Watzinger 6 months ago

  • Description updated (diff)
  • Status changed from In Progress to Closed
Actions
Copy link

Also available in: Atom PDF