tags:

views:

222

answers:

5
+5  Q: 

User name not found or incorrect password

In many applications when you make a mistake in either your user name or password you get a non-specific error indicating that either the user name entered does not exist or the password is incorrect for that user name.

I (naively) would expect the application to specify which one of the two errors happened. Is there any reason for not differentiating between them? I guess it would make it more difficult for an attacker to guess a correct user name/password combination, but is there any literature, research or similar that backs up this assumption?

+6  A: 

The reason would be security: it prevents finding out which user names exist based on failed attempts.

This should be balanced with the user experience; if you're told that either your user name or password is incorrect, it can be perceived as very unhelpful or annoying.

molf  2009-07-23 16:21:37
+1  A: 

Common sense dictates that an ambiguous message is better because an attacker would be unable to know if they had guesses a correct username.

Andrew Hare  2009-07-23 16:21:41
+1  A: 

It's an extra hoop the attacker needs to jump through. If he's cold-attacking an application he won't know any usernames or passwords. Why give him an extra bit of information to tell him that he has found a username? It's better to withhold the information.

What if the attacker is just looking to confirm that a particular username exists? Say, the name of a politician as a username for a fetish site, as an example. The username itself is sensitive information and you do not want to confirm which exist and which do not.

Welbog  2009-07-23 16:23:29
+1 for the real world example :)
slolife  2009-07-23 16:40:17
+3  A: 

Yes, that’s exactly why many apps/sites do not specify which part of the login is bad. I used to have the same complaint, but then I read a bunch of computer security books including 19 Deadly Sins of Software Security. Among other things like overflows and SQL injection, Michael Howard does explain the reasoning of returning a unified error for logins.

HTH

Synetech inc.  2009-07-23 16:23:34
+1  A: 

it's all about giving an attacker as little information as possible. Some sites go even further with this on password reminders. When you input your email address to receive a new password or a password reset link they don't tell you if your email address is registered in the database but give you a message like this: "if the email address you entered is in our database you will receive a message..." This prevents the attacker from finding out which email address was used by the victim and may also announce the victim that someone is trying to break into her account.

Mihai Secasiu  2009-07-23 16:45:50

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security