Re: Display name on registration.
Reply #1 –
Word!
You and your common sense Ant...
Re: Display name on registration.
Reply #2 –
Along those lines, we should also consider dumbing down our login form. Today we will say if its a invalid username OR invalid password on the form. Makes it easy to know if you have a valid userid and can work against that.
I think it should just say and invalid username or password was entered.
Re: Display name on registration.
Reply #3 –
Actually, I can't agree with that. If you know whether a username is invalid or not, you can brute force it, eliminating any benefit to cloaking usernames with different display names.
Re: Display name on registration.
Reply #4 –
Hey Arantor (and welcome)
Not sure I follow what you are indicating ... today the login form will let you know if an entered username is valid, and I was suggesting removing that potential hint with a single error along the lines of "the supplied credentials are invalid" ... is that what you are not agreeing with?
Re: Display name on registration.
Reply #5 –
I thought you were making it more explicit than it currently is. Right now, yes, it does infer the two different states through careful wording, and IMHO it shouldn't say anything. It's something I've not been able to convince others of so much either.
But you get into the realms of usability vs security. It is undoubtedly more usable to know that the password was wrong vs the username was wrong, but it is less secure.
Re: Display name on registration.
Reply #9 –
At least a spamFlood may help. I think.