Let’s gooooooooo

  • Venator@kbin.social
    link
    fedilink
    arrow-up
    18
    ·
    1 year ago

    There should be an error, but it shouldn’t say whether it was the email or password that was wrong.

    • Spzi
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      edit-2
      1 year ago

      An attacker would still know the account exists, and they would know the password did not match.

      Or you’re assuring them that specific password is used by some account, just not this one. Which is even worse.

        • Spzi
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Right, I misread “shouldn’t” for “should”.