Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Username or Password is Incorrect' Security Defense is a Weak Practice (hackernoon.com)

Posted by msmash on from the challenging-the-norms dept.

Travis Jeffery, writing for HackerNoon: There's a security best practice where sign ins aren't supposed to say "password is incorrect." Instead they're supposed to say the "username or password is incorrect." This "best practice" is bullshit. Stripe's and GitHub's sign ins for example follow this practice. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Here's the problem. All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times and likely won't ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.

10 of 249 comments (clear)

  1. Except by Anonymous Coward · · Score: 5, Insightful

    The user may have entered either the password OR username incorrectly. So saying "password is incorrect" could be misleading.

    1. Re: Except by bluelip · · Score: 4, Interesting

      ...or that not all systems allow a user to create their own accounts.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    2. Re:Except by jellomizer · · Score: 4, Insightful

      Also this argument seems focused around consumer level sites, where people can make their own accounts. Systems with data that they are really trying to secure, has an Administrator create an account, and not the end user.
      Also the level of complexity to try to check if a new account is used or not, by making a login into the system, is a bit harder then just trying the login screen. Meaning the hacker will need to be more particular to the system they are trying to break into. As other then trying to put in 2 data points login name/password, it will need to navigate the account creation page.
      Finally if you setup your security in your system in a better way the computer really doesn't know if it was your login or your password was incorrect. You really shouldn't be loading the Account object until after authentication is confirmed.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Unless... by Anonymous Coward · · Score: 5, Insightful

    There's no publicly available 'sign up' option.

    1. Re:Unless... by MightyYar · · Score: 5, Interesting

      The other thing is I may not want people knowing whether or not I have signed up for a service... Does MightyYar have an account at BigFatBootyMamas? Yes, yes he does. I don't care if you can sign in and see the beautiful ladies on my dime, but I don't want it to be easy for people to check my email address against random websites looking for where I have accounts.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  3. Non sequitur. by msauve · · Score: 5, Insightful

    "Only the dumbest, laziest hacker is stopped by the "username or password is incorrect" sign in. You gain no security, yet your customers lose clarity."

    By your own admission, you gain, at the very least, security from dumb, lazy hackers.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  4. IT Security Theater by Comboman · · Score: 5, Insightful

    There are plenty of IT "Best Practices" that have been proven useless of just plain wrong. Forcing users to change passwords regularly just trains them to use insecure passwords. Forcing upper and lower case just trains users to always capitalize their password. Forcing numbers & punctuation just trains users to adopt the standard replacements (a = @, e = 3, etc). All of it is just an excuse to blame the victim when a breach inevitably happens.

    --
    Support Right To Repair Legislation.
  5. Snarky post paints with too broad a brush by ScentCone · · Score: 4, Insightful

    I deal with many systems that use admin-approved accounts only, following an application processing cycle. The application process deliberately does NOT inform the applicant that they're attempting to create a duplicate account. On purpose. For exactly this reason. And when someone tries to log in, we provide the "user name and password combination not valid" response. Because we don't want to provide a test platform for someone trying to deduce legit user names. Likewise with the password reset features. While it offers to communicate (using two factors) a tokenized reset link to the user, it does NOT say that the presentation of a non-existent email address means a matching account couldn't be found. Because that's just another test platform we don't feel like offering to bad guys. End users may want it to be easier, but adequate communication/explanation of why it is the way it is generally satisfies all but the worst of the PHBs.

    --
    Don't disappoint your bird dog. Go to the range.
  6. The entire premise is flawed by rsilvergun · · Score: 4, Insightful

    reCAPTCHA means you can't brute force user checks, because even if you can get around it most have a 5-10 second delay built in; which slows any attempt to get a meaningful list of active usernames to a crawl. This is lame click bait. Another 'article' that reads more like a poorly conceived /. post that was made on a better article.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  7. Very short sighted by Kincaidia · · Score: 5, Insightful

    "a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page." The fuck? He drops that like it's trivial. The whole point is not allowing to blast usernames until you find one that exists. You throttle EVERYTHING. Signups from an IP. Logins from an IP. Login attempts to a specific account. Everything has throttles. I think the author is seriously off on their reasoning.