• Vigge93@lemmy.world
    11·
    10 months ago

    That would be an extremely bad idea tho, because it would allow a malicious attacker to

    1. Try random usernames, and if the website returns a hash they know that user exists
    2. Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server

    Username/password validation should happen entirely server-side, with as little information as possible provided to the client

    • grrgyle@slrpnk.net
      7·
      10 months ago

      Username/password validation should happen entirely server-side, with as little information as possible provided to the client

      Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.

    • aesthelete@lemmy.world
      3·
      10 months ago

      Username/password validation should happen entirely server-side, with as little information as possible provided to the client

      💯

      It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.