[ZendTo] Re: AD login issue because of login name length?
Jules
Jules at Zend.To
Fri Nov 23 10:10:19 GMT 2012
As a basic point of security, you never tell an attacker *why* their
login attempt failed.
Telling them the account is locked out instantly tells them to try
cracking the next account and give up on this one.
Very bad security practice to tell them any more information than "login
failed".
So I'm certainly not going to implement it. But you have the source, so
feel free to implement it yourself. You just need to call NSSError when
your code realises a login attempt failed because it was locked out.
Jules.
On 21/11/2012 19:59, Brendon Baumgartner wrote:
> Jump to : == Forget it == below. This is a feature request.
>
> Okay, so yesterday I reported successfully dropping off and picking up
> files so I told some more people to try it. Now I have a new and very
> strange problem. Hopefully Jules has an idea ;)
>
> Someone said it didn't work (login issue) and it has worked for a few
> people. Things I have tried:
>
> 1- all kinds of variations of passwords such as removing #'s and
> symbols, etc. That didn't work.
> 2- Changing problem user name from 6 character length to 9 characters.
> This worked.
> 3- Change user back to 6 characters.
> ...
>
> == Forget it. ==
> As I was writing it, it occurred to me that maybe the lockout feature
> was working and it didn't say anything... which turned out to solve my
> problems!
>
> Could you maybe notify the user their account is locked out? :)
>
> -Brendon
> Jules
>
> --
> Julian Field MEng MBCS CITP CEng
> www.Zend.To
>
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'There is one thing stronger than all the armies in the world;
> and that is an idea whose time has come.'
More information about the ZendTo
mailing list