[horde] Authentication Failure Notification
Andrew Morgan
morgan at orst.edu
Thu Dec 4 17:51:07 UTC 2008
On Thu, 4 Dec 2008, Rob MacGregor wrote:
> On Thu, Dec 4, 2008 at 07:59, Tahir Riaz <tahiriaz at comsats.net.pk> wrote:
>>
>> Respected Sir,
>> This is the 3 rd time I am posting this question in hope to get some solution. I can login to imp perfectly. everything is working fine just when a users login and do not provide a correct username and password he is redirected back to the login page and there is no notification that his login has failed. There must be some kind of notification that why he caannot login.
>
> Why? Most systems these days don't differentiate between invalid
> usernames and wrong passwords to make an attackers life harder. How
> much easier it is for them if they receive "Incorrect Username" when
> the username is wrong and "Invalid Password" if the password is wrong
> but the user exists, now they know which accounts to attack.
>
>> I am using the latest stable version of horde grouware webmail and using imp for authentication.
>
> Generally it's better to provide version numbers are your idea of the
> latest stable may differ from what others believe.
I can confirm the same behavior here with Horde v3.3 and IMP v4.3. There
is no message indicating that the login failed. It simply returns to the
login screen with the username and password fields empty. A simple "Bad
Username or Password" or "Login Failed" message would be nice.
Andy
More information about the horde
mailing list