How bad is exposing valid user names?



Today like many other times in the past, signed for a new service and got a common error message: Your user name or password is invalidThis time I am wondering how useful it is to notify "invalid password OR user" versus a less common but more useful two message schema with the real problem: "unknown user", "invalid password"My thought was that a system that does not specify if the user name is valid, could be more secure because it will not expose valid user names. However, how practi

Related to : How bad is exposing valid user names?
Is it a bad idea for user-uploaded images to have predictable file names? Or should they be randomly generated?
Information Security

I want to let users upload images, and my plan was to just name the image file after their username for easy reference. But it occurred to me that most websites which allow image uploading usually generate a random string of numbers for the name of the file. Is there any (security) advantage to doing this? Or is it just an unrelated decision by the developers?


For me, the advantage of using the username is that I don't need to store the string of numbers in the database for each user, and can reference images by username alone.


Most Efficient Way to Search for “Bad Names” in a User's Name
Information Security

I have an app that I'm developing, in it users can choose a name for themselves. I need to be able to filter out "bad" names, so I do this for now:


$error_count=0;
$bad_names="badname1badname2";
preg_match_all("/".$user_name."/i",$global['bad_names'],
$matches,PREG_OFFSET_CAPTURE);
if(count($matches[0])>0)
{
$error_count++;
}

This would tell me if the user's name was inside the bad names list, however, it doesn't tell me if the bad name itself is in the user's name. They could combine a bad word with something else and I wouldn't detect it.


Wha

Exposing Entity Framework classes via WCF - Good idea or bad
Information Security

I've been developing a WCF service with an entity framework back-end. When it came to passing data between the WCF service and the client I'd considered using POCO's or DTO's before setting on POCO's. It was only when I started coding it I realised I've never considered using the EF entities for passing data between the client and the WCF server.


My question is this: is using the EF entities for data transfer between the WCF service and the client an acceptable choice or is it regarded as bad practice?


I hope this question doesn't come across as too subjective, but I'm trying to understand whether this is a possible design option rather than the b

A Reg expr that can match valid user names
Information Security

hello.
I am learning how to write php scripts and I am a novice at this. Although this question has nothing to do with php scripts.
I need to find a reg expr to match a valid name. the rules for this are:
The name may contain nothing but letters, whitespace, hyphens(-), apostrophes(') or dots. It must not start with anything else but letters. Hyphens & apostrophes must not occur anywhere but between 2 letters. Dots must be preceded by a letter but not followed by a letter.
So these are valid names:
Mark Peter-Jones, Mark O'Meara, Rob van Dam, Sammy Davis Jr., Dr. Doo Little

How bad is exposing valid user names? - ?
Information Security
Today like many other times in the past, signed for a new service and got a common error message: You username or password is invalidThis time I am wondering how useful it is to notify that "invalid password OR user" versus a less common but more useful two message schema with the real problem: "unknown user", "invalid password"My thought was that a system that does not specify if the user name is valid, could be more secure because it will not expose valid user names. However, how pra
How bad is exposing valid user names?
Information Security
Today like many other times in the past, signed for a new service and got a common error message: Your user name or password is invalidThis time I am wondering how useful it is to notify "invalid password OR user" versus a less common but more useful two message schema with the real problem: "unknown user", "invalid password"My thought was that a system that does not specify if the user name is valid, could be more secure because it will not expose valid user names. However, how practi

Privacy Policy - Copyrights Notice - Feedback - Report Violation - RSS 2017 © bighow.org All Rights Reserved .