[PATCH] privacy: don't tell users what is the reason for a failed login

Mads Kiilerich mads at kiilerich.com
Fri Jul 31 13:53:49 UTC 2015


 On Sat, May 16, 2015 at 5:04 PM, Andrew Shadura <andrew at shadura.me> wrote:

> # HG changeset patch
> # User Andrew Shadura <andrew at shadura.me>
> # Date 1431788631 -7200
> #      Sat May 16 17:03:51 2015 +0200
> # Node ID cb911e90e205bdb18fc2e2bd66549ea388d00413
> # Parent  388a6eada55925cb55cd2368e47a6115d833b4c1
> privacy: don't tell users what is the reason for a failed login
>
> Makes it harder for strangers to probe the instance for presence of
> certain users. This can make it harder to break in, as it is now
> harder to tell is a username or a password are wrong, so bruteforcing
> should probably take a bit longer if you don't know what exactly are
> you doing.
>

I changed my mind enough to push this one ;-)


/Mads
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150731/c686c8ab/attachment.html>


More information about the kallithea-general mailing list