* Achim Hoffmann wrote on Sat, Jan 25, 2003 at 18:08 +0100:
On Fri, 24 Jan 2003, Steffen Dettmer wrote:
* Achim Hoffmann wrote on Thu, Jan 23, 2003 at 23:15 +0100:
Things might get more complicated for attackers if you use for example LDAP as authentification, there it's not that simple to get valid usernames.
Yes, interesting point. But in practice I still think that there is a name (claim) and a secret (prove), and to get it clear, the secret is secret :)
LDAP can be configured to return inexpressive errors
This way at least the usernme must be known (claimed), guessing is worthless or results in a brute force attack.
The same applies for good login / authentication services, normaly you should not learn if password or already the username is wrong. KDM is an exception, here you can see usually if a username exists (since the default session is read before password entering). But here you have the claim to be some user, and you have to prove you identity by proving that you know a secret, the password. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.