57
The Things Users Would Appreciate In Mobile Apps — Smashing Magazine
(www.smashingmagazine.com)
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Follow the wormhole through a path of communities !webdev@programming.dev
I have seen some that seem to be doing that kind of thing, but many others that will reject a bad username before asking for a password.
To double check, I just now tried putting a known bad email address into the username field for amazon.ca and was not then asked for a password, but told that no account could be found.
My possibly flawed understanding of login security is that a failed login should reveal nothing about why the login failed in order to prevent information leakage that can be exploited.
Hmm, interesting.
And yeah, that is my understanding, too. If an attacker knows that a certain e-mail address has an account associated, they might try to bruteforce the password or send a phishing mail to that e-mail address, which looks like an official mail from Amazon.
I'm guessing, Amazon requires 2FA, which would protect from this to some degree, but still seems unnecessary to hand out information like that.
Amazon allows 2FA, but I'm pretty sure they don't require it.