Security best practices

[OneOffAccount]

The new website's authentication violates security best practices. It tells the user if the password is invalid or if the email is incorrect. This makes it far easier to brute force accounts and also exposes all user email addresses.

[IvanTehFennec]

I think you're just too paranoid about it. Loads of websites do this.

[Kimberly]

Just because a lot of websites do it, doesn't make it a good idea.

[Galacticruler]

Its not ikely someone will even bother hacking forum accounts, not profitable enough.

[tntristan12]

I think you're just too paranoid about it. Loads of websites do this.

That is exactly what a hacker would say... >_O

[IvanTehFennec]

That is exactly what a hacker would say... >_O

Sure, because I'm totally interested in mining the data of 13 year olds.

[Themohawkninja]

This should be in the forum forum.

And either way, nothing is hack proof, and what you suggest would just delay the inevitable if somebody really wanted to hack the site.

[Anton P. Nym]

Forum security is an issue of striking a balance between degree of bulletproofness and usability. If Squad really wanted to use industry best practices for security it'd require 2-part authentication... but it would be too much of a hassle for folks to make them dig around for their phone or tablet or whatever just to log in. If personally-identifiable information (PII) was stored here like purchase orders or the like, maybe it would be acceptable degree of inconvenience; but not for a non-commercial social forum.

During the Great Forum Whoopsies this week with v0.21's release, I got Error-500'd while logging in and tripped the "failed to log in too many times" threshold somehow. This made me wait for I think it was an hour before allowing me to sign back in. I think that's enough protection while keeping the forums simple to use.

-- Steve