On Thu, Jun 27, 2002 at 12:02:53AM -0700, lcrocker(a)nupedia.com wrote:
I attempted to
log in with my username and password from the
real site and got the message "There is no user by the name
\"PierreAbbat\".". A username/password check should not reveal
whether it is the username or the password that is wrong.
I'm not sure that really applies here, where anyone can get a
complete user list anytime anyway (of course it doesn't have
any real information like email addresses or anything).
Is there any real security reason to hide our user list?0
Even if you would do that I could still find out if user X exists by trying
to create a new account for X.
-- Jan Hidders