Support the ongoing development of Laravel.io →
Authentication Security
Last updated 2 years ago.
0

Yep - I just return a message along the lines of "If your email address was found in our database we have sent you details on how to reset your password." regardless of if it was found or not.

Last updated 2 years ago.
0

The problem is they can just 'brute force' the usernames on the sign up page - so you are not really stopping the exposure of usernames to brute force. i.e. try and sign up using different email address will often return validation errors that "the username is already in use".

They can then use this information when trying to brute force the password.

All you are going to really achieve is to annoy users who cant remember their details, and risk them leaving your website.

So I dont think its worth the worry. You would be better spent forcing a good password with password security rules. Maybe even have a list of the top 100 passwords and dont let people choose one of those. Because anyone who tries to brute force a password will just start with that anyway...

The other option is to throttle login attempts per username/IP etc...

Last updated 2 years ago.
0

TheShiftExchange said:

The problem is they can just 'brute force' the usernames on the sign up page - so you are not really stopping the exposure of usernames to brute force. i.e. try and sign up using different email address will often return validation errors that "the username is already in use".

They can then use this information when trying to brute force the password.

I agree, however in my situation users are registered outside of the web app so this isn't an issue for me

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

bigarnie bigarnie Joined 15 Jul 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.