Any creative solution to make it harder for hackers to copy your IdP login page?

Martin Lunze martin.lunze at
Wed Mar 28 01:01:21 EDT 2018

Hi Scott,

your are absolutely right, usernames aren't secrets.

I only want to say, this way its possible for attackers to guess usernames.
In my personal opinion the first step of a possible attack.

After this attackers could bruteforce passwords target-oriented.

At our organization i changed the error messages of idp shown when 
entering wrong credentials.
In both situations (wrong username and wrong password) the same message 
will be shown: "Wrong username or password."
It should make it only a bit harder for an attacker i think.

Nevertheless i use fail2ban to temporary block attacking ip addresses.

Sorry for the bit of offtopic.
I only want to share my thoughts to help.

With nice regards.

Am 27.03.2018 um 14:45 schrieb Cantor, Scott:
>> With the way to enter firstly the name and later the password it could be also
>> possible to bruteforce / guess usernames.
>> In my opinion not a good idea!
> It's an even worse idea to turn your usernames into passwords. Usernames aren't secrets.
> -- Scott

Martin Lunze

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden

Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5677 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list