0
Solved

Invalid login error message

Justin M 8 months ago in Feature requests updated by Vlad R 8 months ago 11

When attempting to login with an invalid username, you get the error message "Invalid username".

When attempting to login with a valid username & invalid password, you get the error message "Invalid password".


I can't think of any website which gives this kind of feedback to someone attempting to login of which of the username/password fields are incorrect. This would allow an attacker to keep guessing usernames and Filerun to tell them if they are valid or not.

In my opinion, if any part of the username/password are invalid, it should give the same login error to the user so there is no indication what part of the credentials are incorrect.

Answer

Answer
Solved

If you fear attacks, you can easily change both feedback messages to the same generic one if you wish, via the translation system: https://docs.filerun.com/translating_filerun

You can also lower the value of the setting "Maximum login attempts".

The reason why we leave it as is, is that in many cases, the FileRun install hosts a lower number of users, and an almost in non-existent risk of brute force attempts or successes (given that FileRun protects against that by default), and providing useful feedback is better than a cryptic reason the login failed.

Answer
Solved

If you fear attacks, you can easily change both feedback messages to the same generic one if you wish, via the translation system: https://docs.filerun.com/translating_filerun

You can also lower the value of the setting "Maximum login attempts".

The reason why we leave it as is, is that in many cases, the FileRun install hosts a lower number of users, and an almost in non-existent risk of brute force attempts or successes (given that FileRun protects against that by default), and providing useful feedback is better than a cryptic reason the login failed.

The way you've implemented it, wouldn't "Maximum login attempts" only apply to the password? For example, nothing is stopping someone from trying 1000 usernames with Filerun helpfully telling them which users are valid and which aren't. "Max login attempts" is only blocking password attempts against a single username before the value is reached and the user account is deactivated. Or am I misunderstanding what it's doing?


I can't think of any other website which provides that kind of feedback to someone attempting to login and for good reason, I think it's a bad security practice.


Either way, thank you for replying and I appreciate you've given me a solution to change the text.

Thank you for the feedback!

It came from admin requests, tired of non-technical people trying to login with wrong usernames and raising support tickets about it. While it's not the best security practice, for some cases it outweighs the disadvantage.

Hi Vlad, not sure if you got a notification of my question below since this is marked solved.

Hey Vlad, I went to Client Area > Translation Tool > English and clicked Download (for the php) and Old Format (for the txt) but both are like 20 lines. I tried grabbing French and it's 2328 lines.

Might be something wrong with the English download?

The application's default language is English, so it does not need translations. Those lines are your custom ones and some date formats. It works as expected.

Hi Vlad,

I'm confused. Your reply above said I can change the error messages via translations and you provided the link to https://docs.filerun.com/translating_filerun. On that page, it says to go to the client area and download the language file. When I click download on English, it does not have any of the lines of the other languages for me to edit the error messages. Where am I going wrong?

Have you customized any of the phrases, in the translation tool? If not, the downloaded file will not contain your customization.

Also tried going here https://github.com/filerun/translations, no english.php

Thought there may be one in my Filerun I could edit, the documentation says to put your translation file in system/data/translations, but I don't have that directory?

Are you using the latest FileRun version?

Sorry, I do have that directory. It has an english.php that's identical to the one downloaded from the client area.