Hacker News new | past | comments | ask | show | jobs | submit login

Wait, you just inserted an invalid password in my database, how do I change my password? Hell, the only way I'll even realize something's wrong is by trying to log in in the first place, and, if you can see my connection, why would you have me enter a wrong password, rather than the right one?



Because the main login is HTTPS-secure (I would hope - for a bank), but the change-password feature is not.


Oh, you mean the account recovery page, not one that requires the old password to change to a new one. I see.


I think he's suggesting that you happen to actually know the right password, and will attempt to enter it after the failed keepass attempt? But then, if you know the right password, you could also visually inspect the keepass data to know it was wrong.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: