Originally Posted by Shirik
Get your facts straight before you go crazy.
Your login information is not stored in your config.wtf folder. At the very most, it only stores your account name.
I must have access to the WTF folder, period. There are certain addons that install files there, and not having access there would not let such addons be installed. If you would like to propose a secure solution that would not impact these addons, I am all ears.
|
First of, lets be clear, I'm not accusing anyone of anything, just observing.
The concern about access to the config.wtf file is valid. If the username is stored in that file you could easily collect usernames *again not saying you
are*. One of the basic practices of maintaining a secure system is to never give that kind of information away, even when the user has provided a correct username and a bad password, you never tell them the password was bad. You just say invalid username/password combination.
Why? Because with a list of valid accounts it is much, much easier to crack a system.
Consider: to perform a normal brute force attack on a system, I must guess a username, then guess a password. Usernames are almost as tough to guess as passwords (in fact many have more secure usernames than their passwords).
If on the other hand, I am first able to generate a list of valid users, I can just start going through the dictionary, trying each word against each of these valid accounts. I'm sure to find a lot of people with insecure passwords, and I can do it much faster than trying to guess valid usernames along side.
My immediate suggestion (if possible with the security manager you are using) would be to grant access to the folder, but NOT the file.
Originally Posted by Elhana
Request Interface/ and WTF/Account/ access?
|
This would also probably work, but would be tougher as some have multiple accounts.