Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username.

Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?
A . Set the web page to redirect to an application support page when a bad password is entered.
B. Disable error messaging for authentication
C. Recognize that error messaging does not provide confirmation of the correct element of authentication
D. Avoid using password-based authentication for the application

View Answer

Answer: B

Explanation:

Disabling error messaging for authentication would be the best recommendation to decrease the likelihood that a malicious attacker will receive helpful information. Error messaging for authentication is a feature that displays an error message when a user enters an incorrect username or password. However, this feature can also provide useful information to an attacker who is trying to guess or brute-force valid credentials. For example, if the error message says “incorrect password for given username”, then the attacker knows that the username is valid and only needs to focus on cracking the password. Disabling error messaging for authentication can help reduce this information leakage and make it harder for an attacker to succeed.