1 Reply Latest reply on Aug 21, 2007 10:36 AM by (Alec_Fehl)

    Security risk- Login Form

      Hi all,
      I've used the login wizard to create login forms for a site, and I was wondering whether its possible to change the error messages specific to the login form.
      When one enters in bad username or pass, the form tells you which error you made- letting you know if you typed in the username correctly or the problem was the password.
      My problem is with someone trying to hack into the site, knowing where the error is, as to whether the error was the username or password would make his work easy, because the hacker would know when he has a correct username or a bad password.

      Is there a way of modifying some files whether in the includes folder or on the login form so that instead of the error message being so specific, the user gets something like error: Login failed (this part is already part of the form by default) and then added to that message, are words like:

      The e-mail address or password is incorrect. Please try again.

      The point is then the hacker would have a harder time knowing when he has the correct username and won't then move on to just guessing a password.