Wednesday, September 05, 2007

Security Myth: Generic Login Error

Update begins with the quote

Several years ago I was working on a web application that had a login screen. I created separate error messages based on whether the user could not be found or the password was invalid. It wasn't a requirement, but I thought it was a nice to have (and I hadn't begun doing Agile, yet). When I demoed the feature to my boss he asked "Isn't that a security concern? Now hackers will know what are valid usernames." At the time I thought his observation was fair and I removed the feature.

Fast-forward a few years. These days, Several of my logins are my email address. Actually, my logins are usually an email address I set up for individual sites. For example, I might create americanairlines@jayfieldsthoughts.com if I were going to give American Airlines my email address (Don't bother emailing me at that address, it's not real). However, sometimes I don't bother to create an address for a site; I'll use something generic such as throwaway1@jayfieldsthoughts.com. Of course, this creates a problem when I go to a site that I use about once a year. Did I sign up with a specific address or did I use a throwaway one? The usual workflow from that point is to try a specific email address, and click the "forgot password" link if it fails. In forgot password I can try my specific email and a few throwaways if necessary. I know when I find a match, because the site tells me that "an email has been sent."

Here's where I have an issue. Maybe I can't find out from the login screen what is a valid username and what isn't, but it only takes me a click to get to a screen that tells me what a valid username is. Do we really believe that a hacker is going to give up on the login screen and not just hit the "forgot password" link like I do? I don't believe that, which brings me to the question: Why not just show me on the login screen that the email address is invalid.

Of course, this doesn't apply to sites that use non-email usernames. But, those sites that do, please improve my user experience and save me the extra click. You aren't providing me any extra protection. In fact, the only people you are slowing down are your users.
If the goal is to stop attackers enumerating valid account names then the forgotten password screen should not indicate the difference between a hit on username and a miss.

That's not a problem for the valid user as they'll get an e-mail to the valid account, but it stops the attacker from getting that information. -- Rory McCune
I forgot to address this. I considered the idea of changing the forgot password screen to display "an email may or may not have been sent" message following a submit. While it's an option, I basically dismissed the idea as a user experience so poor it wasn't worth the additional security. The message alone isn't horrible, but the problem is that a speedy email isn't always guaranteed. So, I can imagine a scenario where I misspell my email address, submit and get the "no confirmation" confirmation, and never receive an email. Or, I submit various email addresses waiting for an email to show up eventually. Later, I'm disappointed to find that I got it right the first time, but the server wasn't sending out emails very quickly and I wasted 15 minutes trying to guess all possible email combinations.

If security were such an issue that I had to display a meaningless message, I believe a superior solution would be to create unique usernames instead.

Good observation though and thanks for the comment Rory.

7 comments:

  1. A different take on that is that there's still a issue, with the forgotten password screen.

    If the goal is to stop attackers enumerating valid account names then the forgotten password screen should not indicate the difference between a hit on username and a miss.

    That's not a problem for the valid user as they'll get an e-mail to the valid account, but it stops the attacker from getting that information.

    ReplyDelete
  2. Greetings,
    I disagree... 'Forgot Password' screens should always say, 'email sent'.

    Think of it like this. You, as a phisher (or just a spammer), get a list of email addresses. You probably know that hotmail (for example) treats senders that send to a bunch of bad email addresses as spammers, and auto-filters them for their users.

    You also know that eBay has a large number of users, so you spam eBay with 'Forgot Password' requests for all those users.

    If eBay responded with an affirmative that they sent the email (and responded otherwise for non-users), then eBay would have given away the information that those email addresses are valid.

    Now you have two pieces of valuable information; a valid email address, and that they are a user on eBay. (The same is true for nearly any other site.)

    That's not a good place to be, which is why eBay responds in the affirmative to every 'forgot password' request.

    The site can also address the 'typing the email address correctly' issue by providing two text entry boxes, and validating them against each other. (Unless the user makes the same typo twice.) The site should then always answer in the affirmative, and include in the response the email address you sent to, to give them a third chance to catch misspellings.

    Most users are NOT like you, and do not vary their email addresses for each site, etc... They use the same email address (and the same password!) on many sites. Forgot password is relatively straightforward for the normal user, and they don't need to iterate over multiple addresses for any given site. I think this is an example of thinking of your use case as the primary use case, when it's not...

    Most people would not be happy if they realized that their email addresses can be verified all over the place. Please don't add to the problem by building more services that make the same mistakes.

    -- Morgan

    ReplyDelete
  3. Anonymous5:02 PM

    Morgan,

    I agree that my behavior isn't that of a typical user. I agree with your points; however, I still think the best solution is probably to avoid using email addresses as usernames. It's the sites that don't do what you or I are suggesting that bother me.

    Cheers, Jay

    ReplyDelete
  4. Greetings,
    Mmmmm...tasty OpenID. :)

    Maybe someday it'll replace 'email address' as the default username...but it'll take a while, I think.

    -- Morgan

    ReplyDelete
  5. "The best solution is probably to avoid using email addresses as usernames."

    But email addresses overcome the problem that users have in remembering usernames...

    ReplyDelete
  6. Anonymous10:21 AM

    Maybe it should be considered a problem that the site tells you when you found a correct e-mail address for the purposes of recovery.

    In fact, it should always send an e-mail to the user notifying that e-mail address that an attempt to recover an account at that domain occurred. Of course this needs limitation too, otherwise it may too be abused. - Add an abuse link in the e-mail which will then block that IP / session etc - and one which will prevent that email address from being sent recovery details again.

    Personally, I would quite like to know if someone has been trying to login to random sites using my credentials, even if I don't use that site myself.

    ReplyDelete
  7. Anonymous3:36 AM

    Doesn't the same thing apply to creating new accounts?

    If an emailaddress or username already has an account you'll be notified you can't create a new acount.

    ReplyDelete

Note: Only a member of this blog may post a comment.