this post was submitted on 26 May 2025
567 points (96.4% liked)
Cybersecurity - Memes
2856 readers
2 users here now
Only the hottest memes in Cybersecurity
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This thread is just a series of people who think they understand.
Thinking you understand when you do not is the real cyber security threat.
This is a password reset form. This requires the user having successfully authenticated or gone through a password recovery form. The best practices in this instance are not the same as the best practices for a login form.
This form can be used to brute force or dictionary guess passwords and infer what they are without a limitation on login attempts. Even if the password has already been invalidated on that service, finding a collision on this service gives you a password that might work on other services for the same email address/username
And waiting for a form submit changes that in what way that cannot also be done on a debounce?
It would still take significant time, but it's still a vulnerability, especially as technology evolves. You're right that best practices are different for a reset form, but there are some things that are common (like don't do hashes in the front end).