Re: [pgsql-www] Google signin

> On 15 Aug 2017, at 22:22, Magnus Hagander <magnus@hagander.net> wrote:
>
> On Tue, Aug 15, 2017 at 8:26 PM, Daniel Gustafsson <daniel@yesql.se <mailto:daniel@yesql.se>> wrote:
>
> > that does this. It will try in order:
> > <firstname><lastinitial>, e.g. stephenf
> > <firstinitial><lasdtname>,e.g. sfrost
> > <firstname><lastinitial><number>, e.g. stephenf0, stephenf1, stephenf2 etc
>
> How about a random number instead?  Not that I see any immediate risk with
> anything here, but many years of looking at logs from web attacks has taught me
> that predictability is what is being tried first.
>
> I'm not really sure what the attack scenario would be though? I think the sequential one would generally generate a
nicername, and we're not trying an infinite number. Plus to even get there you must have logged in with a google (or
something)accoun tthat already failed the first two checks. And if you then want to do it again, you have to create
anotherthird party account and loop over it... 
>
> Or do you see a scenario that I don’t?

No, nothing comes to mind apart from a gut reaction to predictability in user
visible data. It’s probably fine.

cheers ./daniel