SteveKing <firstname.lastname@example.org> wrote on 02/21/2005 03:58:25 PM:
> Simon Large wrote:
> > SteveKing wrote:
> >>VERY bad idea. That would also mean that you'd have to choose the same
> >>username in the issue tracker as your login name is. That's something
> >>you should never do! Your login name should _never_, _ever_ be
> >>something you pick for other things, especially not if the issue
> >>tracker is located somewhere on the internet.
> > Pardon my ignorance, but why? It is very common practice for companies
> > to allocate login names as some form of the name of the user, like
> > slarge, l.onken, stefank, etc. and use the same name as part of the
> > email address, which effectively makes the username public. Same for
> > many ISPs, login name = email address. Surely it is the password which
> > needs to be secure, not the username.
> That was true (and I admit in many companies still is) two/three years
> ago. But today, that shouldn't be done anymore! Because if the login
> name isn't known (public) a hacker has one more thing to find out to
> break into the system. If the username is known, only the password has
> to be cracked.
> And it's considered a security flaw in a program which returns different
> error messages depending on what's wrong: username or password. A
> program should always return the same error (and in the same time, to
> avoid giving that information by say a longer wait time when the
> password is wrong) if either the login or the password is wrong.
I do not disagree with this, but I think it has little to do with being
able to pass the Windows username in a URL. Doing so is not a security
violation and it would only be done if someone was using the same username
for several different systems.
If there were other uses for this idea, then how about this?
Create a new preference page where you can define local variables and
values. So maybe my issue tracker uses the variable %TIGRIS_ID% and you
have to define that variable and your ID locally to use the feature? Like
I said, maybe there are some other features like commit message templates
that could benefit from this?
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org
Received on Mon Feb 21 22:04:57 2005