Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
nick__m
on Sept 20, 2022
|
parent
|
context
|
favorite
| on:
Tell HN: Somebody implemented something I wrote a ...
You would have to randomize the error when the wrong password is inputed and ensure that for a particular username the returned error is invariant. Else an attacker could infer that when you get a different error you have a correct password.
ezekg
on Sept 20, 2022
[–]
The bad password error would only be sent if the second factor is valid, though.
Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
