Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Username or Password is Incorrect' Security Defense is a Weak Practice (hackernoon.com)

Posted by msmash on from the challenging-the-norms dept.

Travis Jeffery, writing for HackerNoon: There's a security best practice where sign ins aren't supposed to say "password is incorrect." Instead they're supposed to say the "username or password is incorrect." This "best practice" is bullshit. Stripe's and GitHub's sign ins for example follow this practice. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Here's the problem. All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times and likely won't ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.

31 of 249 comments (clear)

  1. Except by Anonymous Coward · · Score: 5, Insightful

    The user may have entered either the password OR username incorrectly. So saying "password is incorrect" could be misleading.

    1. Re:Except by cyberchondriac · · Score: 2

      The user may have entered either the password OR username incorrectly. So saying "password is incorrect" could be misleading.

      And that there could be the end of the discussion. Not everyone saves their username creds in their browser.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    2. Re: Except by Anonymous Coward · · Score: 2, Insightful

      And if it is the database?

      jsmith
      jsmith1
      jasmith

      etc

    3. Re: Except by bluelip · · Score: 4, Interesting

      ...or that not all systems allow a user to create their own accounts.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    4. Re:Except by guruevi · · Score: 3, Insightful

      Then you say "username incorrect" or "password incorrect" as appropriate. You generally do the username lookup first anyway so the logic could be short circuited.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:Except by jellomizer · · Score: 4, Insightful

      Also this argument seems focused around consumer level sites, where people can make their own accounts. Systems with data that they are really trying to secure, has an Administrator create an account, and not the end user.
      Also the level of complexity to try to check if a new account is used or not, by making a login into the system, is a bit harder then just trying the login screen. Meaning the hacker will need to be more particular to the system they are trying to break into. As other then trying to put in 2 data points login name/password, it will need to navigate the account creation page.
      Finally if you setup your security in your system in a better way the computer really doesn't know if it was your login or your password was incorrect. You really shouldn't be loading the Account object until after authentication is confirmed.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Except by jb_nizet · · Score: 3, Informative

      No, because that would mean the password is stored in clear text in the database, or hashed but not salted randomly, which would be a much bigger security problem.

      To securely verify credentials, you get the random salt and hashed password of the user, thanks to the provided login, in the database. Then you salt the password and hash it, and compare the result with the password you got in the database.

    7. Re: Except by Zero__Kelvin · · Score: 3, Insightful

      This has to be the most stupid thing I've seen argued about on Slashdot in years. It is possible that someone may mistype a username or a password. In the former case it is possible such a user exists that is not the intended user. If they try to log in and mistype but there is a username that matches it is still possible the username is incorrect and not the password. The system has no way of knowing. In the end, no pertinent additional information is conveyed by adding additional checks and serving up a different message when the user doesn't exist. There is added complexity with no benefit.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re: Except by Anonymous Coward · · Score: 2, Informative

      If it is the database, it is a valid username (or once was), but that doesn't mean that it is *correct*.

      If I'm jsmith1 and try to log in as jsmith with my password, then it'll fail. Why did it fail? Depending on your perspective it failed either because of a wrong password (it wasn't jsmith's password!) or a wrong username (password was correct, but username was wrong).

      The whole point of the article is to have something like "oh you used the wrong username" if the username is invalid. Fine, you can do that if the username isn't in the database. But if it IS in the database, the best you can say is that either the username is incorrect, the password is incorrect, or both are incorrect. If the username's in the database you still don't know if the user typed it right or not...

    9. Re: Except by Wycliffe · · Score: 2

      We regularly get calls from irate customers who are unable to log in to our website and it's not at all uncommon for them to be either trying to log into one of our competitor's sites or trying to use credentials for our competitor's site on our site.

  2. Unless... by Anonymous Coward · · Score: 5, Insightful

    There's no publicly available 'sign up' option.

    1. Re:Unless... by MightyYar · · Score: 5, Interesting

      The other thing is I may not want people knowing whether or not I have signed up for a service... Does MightyYar have an account at BigFatBootyMamas? Yes, yes he does. I don't care if you can sign in and see the beautiful ladies on my dime, but I don't want it to be easy for people to check my email address against random websites looking for where I have accounts.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Unless... by mysidia · · Score: 2

      There's no publicly available 'sign up' option.

      Even then, sometimes the publicly available sign up option requires more intensive/time-exhausting work than simply logging in.

      For example: you might specify your e-mail address, then be sent an e-mail with a link to continue the signup process.

      You might have to specify your E-mail address before attempting to pick a username,
      and the username availability test will be delayed, and the number of usernames you can check per e-mail address will be limited,
      AND Some usernames that aren't actually in use will be shown as Unavailable --- for example, Simple dictionary words, and
      simple dictionary words appended by 1 or 2 digits might be pre-reserved.      ; The username is not in use but will show as Unavailable during signup.

    3. Re:Unless... by slyborg · · Score: 2

      What kind of cretin signs up for anything sketchy with their main identity? If this is your concern you have more basic Internet skills deficiencies.

    4. Re:Unless... by JohnFen · · Score: 2

      This.

      I honestly worry about people who only have one identity they use for all purposes on the internet.

    5. Re:Unless... by gweihir · · Score: 2

      Or it is much more carefully rate-limited than the login-option or captcha'ed. Seriously, what is bullshit here is the "story".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Unless... by Obfuscant · · Score: 2

      If someone tries to create an account for mightyyar@zorlonmail.example,

      They're not trying to create an account, they're running email addresses through the login process. If the login process normally fails with "no such user", and it does not fail that way with "mightyyar@zorlonmail.example", then you know that MightyYar has an account there. It's worse than just using a username, since anyone could have the username "MightyYar", but only one mailbox "mightyyar@zorlonmail.example" can exist.

      If it fails with "username or password incorrect" you don't know nothin.

      then you'll receive the confirmation message instead of the attacker.

      If a website sends a confirmation email for a login attempt, or for an attempt to create an account that already exists, then it is a mailbomb waiting to happen. The victim getting the "confirmation message" is the goal, not the deterrent.

  3. Non sequitur. by msauve · · Score: 5, Insightful

    "Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity."

    By your own admission, you gain, at the very least, security from dumb, lazy hackers.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re: Non sequitur. by Zero__Kelvin · · Score: 2

      And telling them it doesn't exist helps them remember how?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  4. IT Security Theater by Comboman · · Score: 5, Insightful

    There are plenty of IT "Best Practices" that have been proven useless of just plain wrong. Forcing users to change passwords regularly just trains them to use insecure passwords. Forcing upper and lower case just trains users to always capitalize their password. Forcing numbers & punctuation just trains users to adopt the standard replacements (a = @, e = 3, etc). All of it is just an excuse to blame the victim when a breach inevitably happens.

    --
    Support Right To Repair Legislation.
    1. Re:IT Security Theater by houghi · · Score: 2

      P@ssw0rd is the safest password know to mankind. I even use it for my luggage.
      8 charachters? Check!
      Not a word? Check!
      No standard charcater? Check!
      Upper case? Check!
      Lower case? Check!
      Letter? Check!
      Number? Cherck!

      I think it should be used by everybody because it is so safe.

      --
      Don't fight for your country, if your country does not fight for you.
  5. Snarky post paints with too broad a brush by ScentCone · · Score: 4, Insightful

    I deal with many systems that use admin-approved accounts only, following an application processing cycle. The application process deliberately does NOT inform the applicant that they're attempting to create a duplicate account. On purpose. For exactly this reason. And when someone tries to log in, we provide the "user name and password combination not valid" response. Because we don't want to provide a test platform for someone trying to deduce legit user names. Likewise with the password reset features. While it offers to communicate (using two factors) a tokenized reset link to the user, it does NOT say that the presentation of a non-existent email address means a matching account couldn't be found. Because that's just another test platform we don't feel like offering to bad guys. End users may want it to be easier, but adequate communication/explanation of why it is the way it is generally satisfies all but the worst of the PHBs.

    --
    Don't disappoint your bird dog. Go to the range.
  6. The entire premise is flawed by rsilvergun · · Score: 4, Insightful

    reCAPTCHA means you can't brute force user checks, because even if you can get around it most have a 5-10 second delay built in; which slows any attempt to get a meaningful list of active usernames to a crawl. This is lame click bait. Another 'article' that reads more like a poorly conceived /. post that was made on a better article.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:The entire premise is flawed by SethJohnson · · Score: 2
      Not trying to disprove your thoughtful post here, rsilvergun. Just want to expand people's awareness of modern vulnerability probing

      reCAPTCHA means you can't brute force user checks, because even if you can get around it most have a 5-10 second delay built in

      The delay is effective at slowing a single-source attack. Modern probing is performed by botnets numbering in the tens-to-hundreds of thousands of sources. I run a firewall monitor that tracks connections attempts and reports them to Dshield. If you look at hits and check their reports on any given IP address, you won't see a particular IP address attempting thousands of connections across a bunch of different targets. Something that hits my firewall probing for exposed mysql or MS SQL Server ports will only be reported by a few other targets if at all. This is because the attackers are distributing the probing across enormous botnets and limiting any individual member of the botnet from being identified as generating hostile network traffic.

      So, what I'm saying is that a 5-second delay on a failed login does slow down a single-sourced probe. The attacker distributes the probing across a many-thousand-member botnet and can make many thousands of requests per second.

      --
      $5 / month hosted VPS on linux = awesome!
  7. Very short sighted by Kincaidia · · Score: 5, Insightful

    "a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page." The fuck? He drops that like it's trivial. The whole point is not allowing to blast usernames until you find one that exists. You throttle EVERYTHING. Signups from an IP. Logins from an IP. Login attempts to a specific account. Everything has throttles. I think the author is seriously off on their reasoning.

  8. INCREASE guessing cost by redelm · · Score: 2

    Crackers play script games because zhey can. Good programming should assist genuine users (who make more mistakes than scripts) while heavily penalising automated attacks. [re]CAPTCHA is one idea, rather poorly implemented (AI is better than humans). But lockout, exponential backoff, black- and greylists, IP fail2ban, rate limiting, fail advice, provisional (honeypot?) access and other tactics will increase attack costs. Yes, some of them becomes DoS, but all cracking essentially is exactly this.

  9. It's still costly enough by rsilvergun · · Score: 2

    to deter most would be 'hackers'. It's like putting a club on your car steering wheel. It gets them to move on to easier targets.

    Also, there's other things you can do. Like track IPs or use browser fingerprinting to mitigate these attacks. Real ipsec is complicated as hell. At least if you put any real effort into it, which believe it or not most companies do. Where they get hacked is they skimp on the rank and file who do the server patching or they skimp on training their employees to watch out for scams.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  10. Re:reCAPTCHA has been fucking broken for WEEKS by Ksevio · · Score: 2

    Have you considered that you might be a robot? I just click the checkbox that says "I am not a robot" and I'm in

  11. Require email login, not username login by tepples · · Score: 3, Informative

    Requiring users to log in with an email address, as opposed to a username, doesn't disclose that the account exists. If you try to create an account for an address that you do not control, you will not receive the verification message. If you try to create an account for an address that you do control and which already has an account, you'll begin a password reset instead.

  12. As a pentester from experience I disagree by bongk · · Score: 3, Insightful

    It is not that hard to build a login process, a registration process and a password reset process that don't disclosed if a guessed username is a correct username. And these controls do add significant value.

    Username enumeration is one of the first things I consistently look for when penetration testing a web-facing application.
    Why?

    Because if I can start enumerating valid users I can start building a bit list of usernames.
    Once I have a list of usernames I can start password spraying.

    What's password spraying? I try one password guess per day against each user account that I identified.
    Is it a company that rotates passwords every 90 days? OK then "Winter2017", "November2017", etc.
    Is it a retailer based in Wisconsin? OK then "Packers1", etc.
    This approach is probably about 80% effective at guessing at least one user's password if I can enumerate at least a few hundred usernames.

  13. "For a certain subset of reality..." by WoodstockJeff · · Score: 2

    When someone tries to log in to one of my systems, I cannot tell which value is incorrect. There is no "look up the user name, then compare the password given", it must be a matched set.

    By the time the query to see if the user is valid is made, the user name and password have been hashed, and the query asks for a match to that hash. No match? One of them is wrong, figure it out.