+3
Closed

Login Attempts return If the user or the password was incorrect

DanMyers 3 years ago updated by anonymous 2 years ago 4

When attempting to login to your Control center if you put in the wrong password it actually says "Invalid Password, please try again".  If you put in a correct password, or a username that doesn't exist it states "Invalid Username Please try again".


For security purposes, you should receive the same error response regardless of which field was incorrect.


This should be changed to "Invalid username or password, please try again" for all incorrect logins, regardless of which was wrong.

Available in Version:

Answer

Answer
Closed

Hi All,

I suggest you guys update the web resources, LoginPanel.InvalidPasswordText and LoginPanel.InvalidUserNameText, so the error doesn't indicate which field has an incorrect value. 

I don't disagree with your point, but from our point of view this isn't a bug because everything is working as we intend.  I'm moving this over to the feature request forum for PM to weigh in on the discussion.

-1

It is basic opsec to not disclose if an attempted authentication attempt has a correct username on a platform such as this. 


This should be treated as a bug not a feature request.

Answer
Closed

Hi All,

I suggest you guys update the web resources, LoginPanel.InvalidPasswordText and LoginPanel.InvalidUserNameText, so the error doesn't indicate which field has an incorrect value.