On Fri, 24 Jan 2003, Steffen Dettmer wrote:
* Achim Hoffmann wrote on Thu, Jan 23, 2003 at 23:15 +0100:
Things might get more complicated for attackers if you use for example LDAP as authentification, there it's not that simple to get valid usernames.
Yes, interesting point. But in practice I still think that there is a name (claim) and a secret (prove), and to get it clear, the secret is secret :)
LDAP can be configured to return inexpressive errors (for example: "invalid login") for any combination of: valid username, valid password, unknown username, invalid password (where the tuple valid username with valid passowrd succeds, of course:) This way at least the usernme must be known (claimed), guessing is worthless or results in a brute force attack. (note shure about openldap for now) Achim