Login Page gives too much information

Past suggestions that have been incorporated into the live game.
Post Reply
Haweh
Posts: 76
Joined: Wed Nov 24, 2021 3:08 am

Login Page gives too much information

Post by Haweh »

When attempting to login to the game, the login form will tell you specifically if your username or password is wrong. It should be changed to be more vague. An attacker could attempt to find valid usernames by trying different usernames until "Invalid Password" error appears instead of "Invalid username."

Suggestion:
Change the error message to be a generic "Username or password is incorrect." or "Invalid credentials entered.", etc.
User avatar
Badziew
Posts: 105
Joined: Wed Nov 24, 2021 3:23 am
Location: Poland

Re: Login Page gives too much information

Post by Badziew »

I think that part is just stock PHPBB code with no possibility to customize, although maybe there is a PHPBB plugin somewhere that hacks into that part. But in terms of security the less plugins the better, so...
My characters (sorted by IDs): Badziew, Tiger Fist, Pilgrim, Sentient Spellbook, a trojan cat.

Check my wiki profile for more information, including contact information.
User avatar
plscks
Posts: 171
Joined: Wed Nov 10, 2021 2:30 am

Re: Login Page gives too much information

Post by plscks »

I don't think this one should be that hard to change to something less specific. Testing a fix seems to work on dev server so far.
"Hey, don't talk about bacon." - Frank Lapidus
SaltedSalmon
Posts: 301
Joined: Wed Nov 24, 2021 2:49 am

Re: Login Page gives too much information

Post by SaltedSalmon »

plscks wrote: Thu Nov 25, 2021 7:42 pm I don't think this one should be that hard to change to something less specific. Testing a fix seems to work on dev server so far.
Has this been implemented? It has been a while.
User avatar
Goliath
Posts: 695
Joined: Wed Nov 24, 2021 10:01 am

Re: Login Page gives too much information

Post by Goliath »

Has this been implemented? It has been a while.
I tested this with my username and wrong password, and with a random username and something as password.
It hasn't been implemented.
Image
Image
A Parrot with a Blade - Melee/Touchcaster Holy Champion || GrayScimitar - Heavy Sword Tlac IB || RustyWire - Gunwiz
User avatar
plscks
Posts: 171
Joined: Wed Nov 10, 2021 2:30 am

Re: Login Page gives too much information

Post by plscks »

Goliath wrote: Sat Feb 26, 2022 12:42 pm
Has this been implemented? It has been a while.
I tested this with my username and wrong password, and with a random username and something as password.
It hasn't been implemented.
Image
Image
I believe this was updated in the latest game update. Thank you for the reminder!
"Hey, don't talk about bacon." - Frank Lapidus
User avatar
Goliath
Posts: 695
Joined: Wed Nov 24, 2021 10:01 am

Re: Login Page gives too much information

Post by Goliath »

Seems to be working now, lovely
A Parrot with a Blade - Melee/Touchcaster Holy Champion || GrayScimitar - Heavy Sword Tlac IB || RustyWire - Gunwiz
Post Reply