Ticket #630 (new task)
Security audit of error messages displayed during login/registration
|Reported by:||BrianKoontz||Owned by:||unassigned|
I have some reservations from a security standpoint about generating error messages that indicate a username does or does not exist (see #622). Someone could use this information to identify accounts to attempt password cracks on. At some point in the future, it might be prudent to revisit this mod and come up with something more secure (for instance, throttling to prevent multiple login/registration requests within a given period of time).
Related tickets: #622