My php user authentication script is based on code from someone who, at the time, was a much better coder than me. As such I trusted that the parts I didn’t quite see the point of were better left alone unless I had a good reason to change them. I’ve since improved and have my own ideas of what should be done.
One of the things in this script is allow you to define (and easily change) a custom name for the html login and password fields.
I guess if someone is trying to brute force their way into an account this would allow you to confuse their script until they notice and react, but otherwise I just don’t see the point.
Can anyone explain any real benefit of this before I simplify my script and strip this out?
I’m afraid there is no real benefit at all, password fields will always be type=”password” in HTML which alone pretty much proves the pointlessness.
Other reasons against, any client side app will look at the HTTP requests and responses or the ‘password’ input (can still do both), intermediary attacks will look at HTTP / TCP packets, and brute force attacks will still brute force (although why they’d bruteforce a ‘login’ to a site rather than ssh, open ports or try to use known exploits is beyond me.
Hope that helps