+1 for giving a correct message. It has bitten me more than once, and I really don't think it would make any attack harder.
The information you would give is the same information that can be acquired by logging in to the main site first, and then trying to log in to the admin site. So at the moment we are trying to obscure something that isn't obscure now either... On Sat, Mar 12, 2011 at 13:35, Peter <pjrhar...@gmail.com> wrote: > I think some people seem to be confused about what is being asked for. > > I think the suggestion is that you should get this new "not an admin > account" message iff > the provided username _and_ password are correct. If you don't have > permission, but > provide an incorrect password, then you still get the old message. > > That way, you can only gain more information than with the current > system when you have > both a username and correct password. If an attacker has that > information, then frankly, > it's too late to be thinking about how to make things more secure. > > Regards, > > Peter > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
