this post was submitted on 26 May 2025
562 points (96.2% liked)
Cybersecurity - Memes
2827 readers
1 users here now
Only the hottest memes in Cybersecurity
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This thread is just a series of people who think they understand.
Thinking you understand when you do not is the real cyber security threat.
This is a password reset form. This requires the user having successfully authenticated or gone through a password recovery form. The best practices in this instance are not the same as the best practices for a login form.
It would still take significant time, but it's still a vulnerability, especially as technology evolves. You're right that best practices are different for a reset form, but there are some things that are common (like don't do hashes in the front end).
This form can be used to brute force or dictionary guess passwords and infer what they are without a limitation on login attempts. Even if the password has already been invalidated on that service, finding a collision on this service gives you a password that might work on other services for the same email address/username
And waiting for a form submit changes that in what way that cannot also be done on a debounce?