I make a typo in the username
"username doesn't exist"
I fix the typo and mess up the password
"incorrect password"

... I smell a potential exploit here...

@Letmecode this is Discord we're talking about

With most sites you can check if a username exists by trying to register it. Once you know it does you can try to brute force it.

We have the same design in our current project, but afterwards the 3rd invalid password we block the user and ask them to reset their password in an email, also saying that there was a login attempt.

That sounds quite safe to me.

I do this.. but it's not internet facing, just on my login system for a dsp control server. What kind of exploits would you try? I'm curious how exploitable it is (I don't really care though if it is exploitable..)

I always return "Incorrect email/password combination", on top of this I use ip/email lockouts that return the same thing.

@fatlard1993 it's pretty much just a standard brute force attack except you can skip the email if it doesn't exist which cuts down the time required of someone getting where they arnt supposed to be. worst case with it being internal you would use internal emails which could be scraped from you site and they could find one or two of them that works and just brute force those two instead of having to try every email even if it doesn't login

@jckimble
I see so really it only opens doors to more novice-style brute forcing..?

@fatlard1993 more or less, it makes it easier/cheaper on hackers. I look at it more as scanning than brute force when you give something reconizable to search for usernames or emails, cause at that point they have a list of vaild logins where they can use social engineering to get passwords, brute force the site or even brute force the email and reset the password. really it just opens more attack vectors than anything

@jckimble
Right arm, thanks for the explanation :)