> If an attacker is brute forcing logins, providing a nondescript error > message here makes life harder. > > That claim doesn't really make sense to me. There's 1 of 2 scenarios in my mind, but I've been wrong before and I'll be wrong many more times in my life.
Scenario 1: The site has an open login system where there are regular users and admin users (is_staff=True). If an attacker wants to brute force this type of site, they'll simply use the regular public facing login mechanism, verify account credentials and then use them on the admin facing login screen. Get an error, you know they're not an admin. Scenario 2: The site only has admin users, and there are no _active_ users with is_staff=False. At first it might seem like providing a non-descriptive error message would stop an attacker from brute forcing this type of account. However, there are _only_ admin users on this site. There will be no active users who would have is_staff=False, and therefore any time an attacker got hold of valid credentials, they would be entered into the admin area. The only logical thought I can see here is that if there are inactive users in the database, you allow the attacker to stop their attack short when they find the a user with invalid permissions, and go to the next account. This doesn't seem like enough benefit to justify having a confusing message presented to legitimate users, at least in my opinion. -- Brian O'Connor -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
