tags:

views:

72

answers:

4
+2  Q: 

Is there a secure way to remove a user field from a login dialog?

Browsing through Coding Horror, I saw this article on removing the user field from a login dialog.

It's an interesting concept albeit an old one from 2005. Nevertheless, I started thinking about it and wondered:

How would you be able to do this in a secure fashion?

If you identify the user by their password that means all passwords must be unique - yes?

If all passwords must be unique, what do you do when someone enters a password that's already in use?

You can't tell them it's already in use because that would give away someone else's login.

I can't think of a way one could implement this in a secure fashion...any ideas?

G-Man

+1  A: 

I believe you cant.

By entering your username you are providing your identity, by entering your password you are providing a means for the server to verify this identity.

Both are inherently required unless you have some other means of determining identity (IP, keycard, etc.)

Basically you cant expect anyone to believe you are who you say you are, when you don't say who you are!

Kris  2009-05-31 21:41:21
If you walk up to someone who knows you and say, "I'm Kris," they can verify your identity because they know what you look like.Even if you don't say, "I'm Kris," they will still know you.
Dave Bauman  2009-05-31 21:45:20
Yes, but it is more difficult for someone to fake my appearance than it is to type in my password. You could use biometrics as both identity and authentication (in theory at least, I wouldn't want to rely on it)
Kris  2009-05-31 21:47:57
True, but my point is that it's not necessary to make a distinction between username and password. All you really need is some thing or combination of things which is uniquely identifiable and reasonably secure. If a system can recognize you from your password, that's your identity.
Dave Bauman  2009-05-31 21:55:04
The only way to do that is to have a part of the password that must be unique or otherwise run the risk of collision. If you are mandating a unique bit in the password you might as well break it out into a separate field for clarity (although I guess typing krisMyPassword) would save you a TAB keystroke.
Kris  2009-05-31 22:18:56
+1  A: 

My first thought, which is also alluded to in the article, is to increase the password complexity requirements to avoid collisions.

16-byte GUIDs avoid collisions (every star can have 6.8×1015 GUIDs) well enough, so it shouldn't be too difficult. Obviously human-generated input isn't quite as random, but if you add in enough requirements like lowercase/uppercase/numbers/symbols/length, it might work well enough.

Dave Bauman  2009-05-31 21:42:00
+1  A: 

Well, I suppose you could look for some other piece of "uniquify-ing" data, to use in combination with the password. For a web app, this could be a hash inserted in a cookie, from a previous visit. It'd be hard to guarantee uniqueness (multiple users from a single profile on a single computer, for instance).

My bank takes essentially this approach, with my public IP address. It's a little annoying, actually. Every time my DHCP lease expires, my bank's website "un-recognizes" me, and asks one of several security questions, before I get the standard username/password screen.

Multiple-factor security uses something like this (a hardware key or hardware-provided identifier, in combination with a password).

This approach strikes me as overly clever, and clever's rarely the right way to approach security systems.

Michael Petrotta  2009-05-31 21:45:38
+2  A: 

You do not identify users by password, you identify them by user name. You authenticate users by password. Just think a bit what does it mean to identify by password. I join the system, he asks me to enter my new password. I say 'foo', he says 'foo is already in use'. I say 'tyvm'', and open the login window. When prompted I simply enter 'foo' and he says 'Welcome Mr. President'...

No, there absolutely cannot be a requirement to have passwords unique, that would be a huge security hole in any system because it relies on information disclosure to function: by reveling a duplicate you disclose somebody's password. Even with name/password combinations, once you disclosed that 'password is in use' all I have to do is iterate through the list of accounts trying the password you just revealed to me, and one combination will succeed.

Remus Rusanu  2009-05-31 22:01:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security