Any creative solution to make it harder for hackers to copy your IdP login page?
Martin Lunze
martin.lunze at tu-dresden.de
Wed Mar 28 01:01:21 EDT 2018
Hi Scott,
your are absolutely right, usernames aren't secrets.
I only want to say, this way its possible for attackers to guess usernames.
In my personal opinion the first step of a possible attack.
After this attackers could bruteforce passwords target-oriented.
At our organization i changed the error messages of idp shown when
entering wrong credentials.
In both situations (wrong username and wrong password) the same message
will be shown: "Wrong username or password."
It should make it only a bit harder for an attacker i think.
Nevertheless i use fail2ban to temporary block attacking ip addresses.
Sorry for the bit of offtopic.
I only want to share my thoughts to help.
With nice regards.
Martin
Am 27.03.2018 um 14:45 schrieb Cantor, Scott:
>> With the way to enter firstly the name and later the password it could be also
>> possible to bruteforce / guess usernames.
>> In my opinion not a good idea!
> It's an even worse idea to turn your usernames into passwords. Usernames aren't secrets.
>
> -- Scott
>
--
Martin Lunze
IT-Systemadministrator
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden
Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5677 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20180328/888cf283/attachment.p7s>
More information about the users
mailing list