Slashdot Mirror
'Username or Password is Incorrect' Security Defense is a Weak Practice (hackernoon.com)
Travis Jeffery, writing for HackerNoon: There's a security best practice where sign ins aren't supposed to say "password is incorrect." Instead they're supposed to say the "username or password is incorrect." This "best practice" is bullshit. Stripe's and GitHub's sign ins for example follow this practice. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Here's the problem. All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times and likely won't ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.
The other thing is I may not want people knowing whether or not I have signed up for a service... Does MightyYar have an account at BigFatBootyMamas? Yes, yes he does. I don't care if you can sign in and see the beautiful ladies on my dime, but I don't want it to be easy for people to check my email address against random websites looking for where I have accounts.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
...or that not all systems allow a user to create their own accounts.
Yep, I never spell check.
More incorrect spellings can be found he