Login Security already has the option to disable default login failure error messages. This is good to remove the vulnerability for username enumeration. But, with that option selected users are given no feedback at all if there is a login failure, which is not good for usability.

IF the 'disable login failure error message' is selected, it would be good to have the option to set a simple generic error message that does not also add a username enumeration vulnerability, like 'There was a problem with your login.' - a message like that does not tell a potential attacker whether an account with that name exists or not, but is very useful usability feedback to the valid users who've just made an error.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

joe-b’s picture

This patch adds that functionality.

joe-b’s picture

Status: Active » Needs review