-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Products and Technology
- CRM and Customer Experience
- CRM and CX Q&A
- Changing generic brute force error message on logi...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Changing generic brute force error message on login page.
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on ‎2018 May 02 9:47 AM
- SAP Managed Tags
- SAP Commerce Cloud
Hi,
OOTB hybris blocks a user account after 5 unsuccessful login attempts, but after the account is locked it still shows "Your username or password was incorrect." generic error message. If we change this error message to be more informative like "Your account is locked.", will it be a security concern as the brute force attacker can find out the valid usernames from the site and then misuse them for further security attacks.
I am referring the below statement from the link https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks (point 2 under section locking accounts) .
•Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
I am using Hybris 6.6 .
Need more details?
Request clarification before answering.
Accepted Solutions (0)
Answers (2)
Answers (2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the customization encouraged ? or is there a trade off between security and better user experience?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes as you described. If you say the error message saying that your account is locked. Then others know the account exists and password is wrong. But these messages can be customized as we want. OOB doest show the message as locked.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Bluesky- Mastering the AI Mindset - Co-Creating the Future of AI & Customer Experience with SAP CX in CRM and CX Blog Posts by SAP
- SAP MDI Setup for Master Data Integration to SAP FSM from S/4HANA Cloud in CRM and CX Blog Posts by SAP
- ABAP2XLSX and XLSM in CRM and CX Q&A
- Case Management: Preconditions in Case Flow Steps in CRM and CX Blog Posts by SAP
- Personalizing Success with SAP CX AI Toolkit: Unlocking Value with AI Tool Builder in CRM and CX Blog Posts by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.