[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [TSVN] bugtraq feature extension

From: SteveKing <steveking_at_gmx.ch>
Date: 2005-02-21 21:58:25 CET

Simon Large wrote:
> SteveKing wrote:
>
>>VERY bad idea. That would also mean that you'd have to choose the same
>>username in the issue tracker as your login name is. That's something
>>you should never do! Your login name should _never_, _ever_ be
>>something you pick for other things, especially not if the issue
>>tracker is located somewhere on the internet.
>
>
> Pardon my ignorance, but why? It is very common practice for companies
> to allocate login names as some form of the name of the user, like
> slarge, l.onken, stefank, etc. and use the same name as part of the
> email address, which effectively makes the username public. Same for
> many ISPs, login name = email address. Surely it is the password which
> needs to be secure, not the username.

That was true (and I admit in many companies still is) two/three years
ago. But today, that shouldn't be done anymore! Because if the login
name isn't known (public) a hacker has one more thing to find out to
break into the system. If the username is known, only the password has
to be cracked.
And it's considered a security flaw in a program which returns different
error messages depending on what's wrong: username or password. A
program should always return the same error (and in the same time, to
avoid giving that information by say a longer wait time when the
password is wrong) if either the login or the password is wrong.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Mon Feb 21 22:00:15 2005

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.