views:

141

answers:

5

My php user authentication script is based on code from someone who, at the time, was a much better coder than me. As such I trusted that the parts I didn't quite see the point of were better left alone unless I had a good reason to change them. I've since improved and have my own ideas of what should be done.

One of the things in this script is allow you to define (and easily change) a custom name for the html login and password fields.

I guess if someone is trying to brute force their way into an account this would allow you to confuse their script until they notice and react, but otherwise I just don't see the point.

Can anyone explain any real benefit of this before I simplify my script and strip this out?

+2  A: 

It's usually an attempt to avoid automatic spiders crawling for login pages that they might be able to brute-force. Whether or not it's effective is questionable; but either way if you think it makes the code more complex than it should be, then it probably shouldn't be there.

Amber
+1  A: 

Security by Obscurity is no kind of security!
I could just search for input fields and assume that the first one was login and the second one of type="password" is password on the form regardless of their names. This won't stop anyone with even a passing knowledge of HTML and Javascript. A simple Python program using Beautiful Soup and 10 minutes will by pass this "security" for just about anyone that wants to. The barrier to entry of Python, HTML and Javascript is extremely low.

If anyone thinks different they haven't had to deal with having to patch up systems that were breached over and over because of "clever" "security" because these bad assumptions that "it makes it not worth it", if there is money even small amounts of money, it will be worth it for someone out there in the world, that has free time and no other income. And that doesn't even begin to cover the worse problem which is the oft denegrated "script kiddie" griefers that hack things just to be hacking them and causing havoc for fun.

fuzzy lollipop
I hear this way too much... security by obscurity won't protect you from a determined hacker, but it is remarkably effective for the kind of "script kiddie" attacks generally leveled against low-value sites.
Eric Petroelje
__Security by Obscurity__ should not be your last line of defense, but that does not mean obfuscation is useless.
kingjeffrey
The problem with Security through obscurity is the false sense of security it brings. It's usually subjective to measure "how much" security or "how effective" it is and people usually underestimate the risk. It's much easier to guess things (field function, token values, passwords, URLs) than most people think.
fms
@Eric your "script kiddies" are more resourceful that you think, and if a simple "View Page Source" is all you need to see the information, it isn't very secure to begin with. It might keep your Grandmother out, but anything else it is a __false sense of security__ for sure. Protect something you think is important and email the site to the hacker channels and you will see how many "script kiddies" take your site down in minutes?
fuzzy lollipop
@kingjeffrery Obfuscation is useless as a security mechanism, because naive people think it is the same thing as encryption and get a very false sense of security from their assumed cleverness, there is always some un-employeed 13 year old somewhere that is way more clever than you are and has way more time than you do. I know I was that 13 year old one time!
fuzzy lollipop
@fuzzy I agree this is always worth mentioning, at least for the benefit of those who don't understand this concept. I have successfully used security by obscurity as a quick band-aid for something that needed an immediate fix, but I then saw just how quickly that band-aid fell off. +1 since my question was essentially asking "Is this just useless security through obscurity"
Syntax Error
@fuzzy In order to do that, they would have to do a view source. In order to do that, they would have to visit your site. The chances of that happening for any given www.joesplumbing.com website are slim to none. Most script kiddie attacks are completely automated drive-by scans of random websites done by botnets looking for common exploits in common software.
Eric Petroelje
+1  A: 

This is probably used to prevent attacks targeting many computers, ie. not a brute force which tries to access your website, but attacks which tries to access any website within a range of IP addresses.

I frequently see in server logs attacks trying to exploit old phpMyAdmin bugs or other frequently used services, even if I don't have any phpMyAdmin on my website. This is quite similar.

MainMa
+5  A: 

I'm afraid there is no real benefit at all, password fields will always be type="password" in HTML which alone pretty much proves the pointlessness.

Other reasons against, any client side app will look at the HTTP requests and responses or the 'password' input (can still do both), intermediary attacks will look at HTTP / TCP packets, and brute force attacks will still brute force (although why they'd bruteforce a 'login' to a site rather than ssh, open ports or try to use known exploits is beyond me.

Hope that helps

nathan
A: 

The only advantage I can think of is that with all of the easily exploitable websites out there, attackers probably won't even bother with yours if it takes even minimal effort. I'm not sure if it's useful if these things don't change automatically though (since you're not likely to change them manually very often).

On the other hand, if your passwords are vulnerable to a dictionary attack, it's unlikely that anyone would ever break them like this anyway.

Brendan Long
depends on the perceived "Value" of the site in question, money even in small amounts, when hacked on a large scale add up. There was a scam last year with .99 cent charges for "credit confirmation" charges that was in the hundreds of millions of dollars.
fuzzy lollipop
@fuzzy lollipop, that's true, if the site has anything of value this is pointless, but most websites that get hacked are because of bots checking for easy vulnerabilities so for an average site the tiny layer of annoyance for attackers could be helpful.
Brendan Long