From 3c14805fe13da6e67bd029a57273bc24a33961c3 Mon Sep 17 00:00:00 2001
From: Shivansh Rai <shivansh@freebsd.org>
Date: Mon, 26 Jun 2017 02:40:59 +0530
Subject: [PATCH] Avoid hints for an invalid password attempt

In case a (malicious) user gets a correct username, avoid showing hint
for invalid password attempts as they can guide a brute force attack.
---
 flash_cards.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/flash_cards.py b/flash_cards.py
index 12bf29c..6d34a44 100644
--- a/flash_cards.py
+++ b/flash_cards.py
@@ -260,9 +260,9 @@ def login():
     error = None
     if request.method == 'POST':
         if request.form['username'] != app.config['USERNAME']:
-            error = 'Invalid username'
+            error = 'Invalid username or password!'
         elif request.form['password'] != app.config['PASSWORD']:
-            error = 'Invalid password'
+            error = 'Invalid username or password!'
         else:
             session['logged_in'] = True
             session.permanent = True  # stay logged in