[ZendTo] Re: AD login issue because of login name length?

Artyom Aleksandrov mailing.list at tem4uk.ru
Fri Nov 23 10:38:35 GMT 2012


Absolutely agree with Jules. It's non security.


On Fri, Nov 23, 2012 at 2:10 PM, Jules <Jules at zend.to> wrote:

> As a basic point of security, you never tell an attacker *why* their
> login attempt failed.
> Telling them the account is locked out instantly tells them to try
> cracking the next account and give up on this one.
>
> Very bad security practice to tell them any more information than "login
> failed".
>
> So I'm certainly not going to implement it. But you have the source, so
> feel free to implement it yourself. You just need to call NSSError when
> your code realises a login attempt failed because it was locked out.
>
> Jules.
>
> On 21/11/2012 19:59, Brendon Baumgartner wrote:
> > Jump to : == Forget it == below. This is a feature request.
> >
> > Okay, so yesterday I reported successfully dropping off and picking up
> > files so I told some more people to try it. Now I have a new and very
> > strange problem. Hopefully Jules has an idea ;)
> >
> > Someone said it didn't work (login issue) and it has worked for a few
> > people. Things I have tried:
> >
> > 1- all kinds of variations of passwords such as removing #'s and
> > symbols, etc. That didn't work.
> > 2- Changing problem user name from 6 character length to 9 characters.
> > This worked.
> > 3- Change user back to 6 characters.
> > ...
> >
> > == Forget it. ==
> > As I was writing it, it occurred to me that maybe the lockout feature
> > was working and it didn't say anything... which turned out to solve my
> > problems!
> >
> > Could you maybe notify the user their account is locked out? :)
> >
> > -Brendon
> > Jules
> >
> > --
> > Julian Field MEng MBCS CITP CEng
> > www.Zend.To
> >
> > Twitter: @JulesFM
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > 'There is one thing stronger than all the armies in the world;
> >   and that is an idea whose time has come.'
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20121123/ef906492/attachment-0001.html 


More information about the ZendTo mailing list