Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Username or Password is Incorrect' Security Defense is a Weak Practice (hackernoon.com)

Posted by msmash on from the challenging-the-norms dept.

Travis Jeffery, writing for HackerNoon: There's a security best practice where sign ins aren't supposed to say "password is incorrect." Instead they're supposed to say the "username or password is incorrect." This "best practice" is bullshit. Stripe's and GitHub's sign ins for example follow this practice. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Here's the problem. All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times and likely won't ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.

4 of 249 comments (clear)

  1. Re:Except by jb_nizet · · Score: 3, Informative

    No, because that would mean the password is stored in clear text in the database, or hashed but not salted randomly, which would be a much bigger security problem.

    To securely verify credentials, you get the random salt and hashed password of the user, thanks to the provided login, in the database. Then you salt the password and hash it, and compare the result with the password you got in the database.

  2. Require email login, not username login by tepples · · Score: 3, Informative

    Requiring users to log in with an email address, as opposed to a username, doesn't disclose that the account exists. If you try to create an account for an address that you do not control, you will not receive the verification message. If you try to create an account for an address that you do control and which already has an account, you'll begin a password reset instead.

  3. Re:Except by mwvdlee · · Score: 1, Informative

    While we're being pedantic assholes; the user may have entered the correct username and password, but for a different website. So saying "username or password is incorrect" could also be misleading.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re: Except by Anonymous Coward · · Score: 2, Informative

    If it is the database, it is a valid username (or once was), but that doesn't mean that it is *correct*.

    If I'm jsmith1 and try to log in as jsmith with my password, then it'll fail. Why did it fail? Depending on your perspective it failed either because of a wrong password (it wasn't jsmith's password!) or a wrong username (password was correct, but username was wrong).

    The whole point of the article is to have something like "oh you used the wrong username" if the username is invalid. Fine, you can do that if the username isn't in the database. But if it IS in the database, the best you can say is that either the username is incorrect, the password is incorrect, or both are incorrect. If the username's in the database you still don't know if the user typed it right or not...