secure-sw-dev-fundamentals reviews and mentions
-
“Invalid Username or Password”: a useless security measure
Exactly, if you reveal that an account exists when you just type in an email address, then you have a privacy failure and probably a security failure.
For example, the OpenSSF's secure software development fundamentals course <https://openssf.org/training/courses/> in its section on minimizing feedback <https://github.com/ossf/secure-sw-dev-fundamentals/blob/main...> says:
* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
Now for the unpopular take: not everyone lives in the US. The GDPR requires protection of personally-identifying information, and in many cases that includes email addresses that identify individuals. There are exceptions, but it's typically better to keep email addresses private unless the user specifically authorizes it.
Stats
ossf/secure-sw-dev-fundamentals is an open source project licensed under Creative Commons Attribution 4.0 which is not an OSI approved license.
The primary programming language of secure-sw-dev-fundamentals is CSS.
Sponsored