Username 'or' password incorrect. Why can't you tell me which one?
If you ever wondered why is your server so dumb, think again!!!
We always view usability over security are not ready to give up an ounce of usability vs. security. If you ever got the above message when logging onto a server, you should sleep peacefully. Here's why ...
Your username and password are both "personal data". Leaking the password reveals your protected data explicitly, but revealing your username to someone else invades your privacy and leaks implicit data that can be used by malicious entities.
Consider I am your next door hacker kid. I want access to your credit card account online. For the sake of easier examples, say your name is John Smith ...
I have to know your username and your password to log on to your server (of course I have to know what brand/service you use before that, but we'll get there a bit later). For usability, your server decides to help you remember your forgotten usernames. Your legitimate username on the webpage is john_smith
I start typing username/password combinations on your credit card's server page ...
jsmith/password1: Username not found
smithj/password1: Username not found
johnsmith/password1: Username not found
john_smith/password1: Incorrect password
Aha! 4 tries to get your username - not bad; and all I have to do now is break your password with the username constant. This is a hard problem to solve if you do have a really good password, but not that difficult these days if given enough time and resources. Assuming I run a good home machine and that you have a fairly long and cryptic password, the machine would still be able to break the combination in a matter of weeks; if not days (or hours - who knows?).
Now if instead the server was telling me "username or password incorrect", here's what would happen:
jsmith/password1: Username or password incorrect
smithj/password1: Username or password incorrect
johnsmith/password1: Username or password incorrect
john_smith/password1: Username or password incorrect
john.smith/password1: Username or password incorrect
.
.
I would have no information in my 4th try that would give me your username. I would eventually have to try all combinations of possible usernames and possible passwords; thus increasing my problem set exponentially. I would never know your username unless I found the username/password combination that would unlock your account for me.
Just some basics of security for the uninitiated out there. Hope it sparks enough interest in someone out there to get involved.
If you ever wondered why is your server so dumb, think again!!!
We always view usability over security are not ready to give up an ounce of usability vs. security. If you ever got the above message when logging onto a server, you should sleep peacefully. Here's why ...
Your username and password are both "personal data". Leaking the password reveals your protected data explicitly, but revealing your username to someone else invades your privacy and leaks implicit data that can be used by malicious entities.
Consider I am your next door hacker kid. I want access to your credit card account online. For the sake of easier examples, say your name is John Smith ...
I have to know your username and your password to log on to your server (of course I have to know what brand/service you use before that, but we'll get there a bit later). For usability, your server decides to help you remember your forgotten usernames. Your legitimate username on the webpage is john_smith
I start typing username/password combinations on your credit card's server page ...
jsmith/password1: Username not found
smithj/password1: Username not found
johnsmith/password1: Username not found
john_smith/password1: Incorrect password
Aha! 4 tries to get your username - not bad; and all I have to do now is break your password with the username constant. This is a hard problem to solve if you do have a really good password, but not that difficult these days if given enough time and resources. Assuming I run a good home machine and that you have a fairly long and cryptic password, the machine would still be able to break the combination in a matter of weeks; if not days (or hours - who knows?).
Now if instead the server was telling me "username or password incorrect", here's what would happen:
jsmith/password1: Username or password incorrect
smithj/password1: Username or password incorrect
johnsmith/password1: Username or password incorrect
john_smith/password1: Username or password incorrect
john.smith/password1: Username or password incorrect
.
.
I would have no information in my 4th try that would give me your username. I would eventually have to try all combinations of possible usernames and possible passwords; thus increasing my problem set exponentially. I would never know your username unless I found the username/password combination that would unlock your account for me.
Just some basics of security for the uninitiated out there. Hope it sparks enough interest in someone out there to get involved.
