tags:

views:

46

answers:

2
Q: 

Failed Validation Messages

Here is the question I have been posed:

"What is the best way to handle in valid credentials when logging into a site. Do we tell the user if their username was invalid? Or likewise if their password is invalid?"

I did some searching, but I'm having trouble finding a site with some best practices for this, to refer them to.

My Question for the community here: Does anyone here know a site that has some good guidelines/best practices for this?

+5  A: 

Just say that their credentials were incorrect.

Telling them that one piece of information was correct means that you're helping hackers discover user names at the very least.

If I enter:

admin

Password1

for example and I get a response that the password was invalid I now know that there is a user called "admin" on you system. I can now just vary the password in an effort to gain access.

If the response was "invalid user name or password" then I'm no wiser about whether there is a user called "admin" or not.

ChrisF  2009-11-11 20:24:58
+1 There's probably not a site that will cover this in depth because this is about all there is to it.
Scott Saunders  2009-11-11 20:35:47
I understand this and explained this to them. However they asked for some "best practices" and I couldn't find anything published by a reputable source, so I was hoping someone here might know of something.
Sam  2009-11-11 20:59:42
@Sam - Like Scott I don't know of anywhere that covers this specifically, sorry. Isn't Stack Overflow a reputable source ;)
ChrisF  2009-11-11 21:03:45
@ChrisF .... I don't know if our customer who has paid lots of money wants to here "Just go read the comments on Stackoverflow" :)
Sam  2009-11-11 21:28:11
@Sam - I can understand that ;)
ChrisF  2009-11-11 21:31:11
A: 

The most authoritative discussion I can find on this issue is from the "Web Security Testing Cookbook," Recipe 12.8.

The book points out:

  1. You should provide a generic message indicating either the username or password was incorrect; revealing that just the username is correct allows attackers to enumerate valid usernames.
  2. Account lockout functionality, after X number of tries, also carries the same risk; attackers can lockout accounts to find out if the usernames were valid or not.

You can read the whole "recipe" via Google Books here: http://books.google.com/books?id=VmrSJ3V-s%5FMC&lpg=PA249&ots=cU7V62FQOA&dq=web%20security%20reveal%20valid%20username&pg=PA248#v=onepage&q=web%20security%20reveal%20valid%20username&f=false

Ben Walther  2009-11-11 23:00:14

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security