While developing a user system for a website, I researched good practices for security and privacy in user system implementations. One website that has interesting information about passwords is GRC, which is ran by Security Now host Steve Gibson.
Another interesting website I found had an article titled "Salted Password Hashing - Doing it Right" with interesting tips and links to source code in different programming languages on GitHub. I used their provided C# code for implementing the PBKDF2 cryptographic hash algorithm in an ASP.NET MVC project recently.
Anyway, what I would like to discuss is about one point that seems outstanding, yet simple, from the article:
In step 4, never tell the user if it was the username or password they got wrong. Always display a generic message like "Invalid username or password." This prevents attackers from enumerating valid usernames without knowing their passwords.
Should Vanilla's error message be changed to display a more generic message? While on this topic, are there any other security concerns with Vanilla you might have?
Add Pages to Vanilla with the Basic Pages app