Simon Large wrote:
> SteveKing wrote:
>
>>VERY bad idea. That would also mean that you'd have to choose the same
>>username in the issue tracker as your login name is. That's something
>>you should never do! Your login name should _never_, _ever_ be
>>something you pick for other things, especially not if the issue
>>tracker is located somewhere on the internet.
>
>
> Pardon my ignorance, but why? It is very common practice for companies
> to allocate login names as some form of the name of the user, like
> slarge, l.onken, stefank, etc. and use the same name as part of the
> email address, which effectively makes the username public. Same for
> many ISPs, login name = email address. Surely it is the password which
> needs to be secure, not the username.
That was true (and I admit in many companies still is) two/three years
ago. But today, that shouldn't be done anymore! Because if the login
name isn't known (public) a hacker has one more thing to find out to
break into the system. If the username is known, only the password has
to be cracked.
And it's considered a security flaw in a program which returns different
error messages depending on what's wrong: username or password. A
program should always return the same error (and in the same time, to
avoid giving that information by say a longer wait time when the
password is wrong) if either the login or the password is wrong.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Mon Feb 21 22:00:15 2005