Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance login security - Return same generic error for invalid user or password #101

Closed
ryandaniels opened this issue May 7, 2019 · 3 comments
Labels

Comments

@ryandaniels
Copy link

@ryandaniels ryandaniels commented May 7, 2019

Describe the bug

Login attempts expose if the username is wrong

Steps to reproduce (if necessary)

Steps to reproduce the behavior:

  1. Try to login with username that doesn't exist
  2. Get message: User doesn't exist
  3. Try to login with valid username but wrong password.
  4. Get message: Incorrect password

Expected behavior

Return the same generic error message if username or password is wrong, so it's not as easy to get the login.

Application configuration

N/A

Version or last commit:
0.9.1

@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented May 8, 2019

Thanks for submitting this. I'm open to feedback from more people, but this was a conscious design decision to prioritize usability over obfuscation, particularly because:

  • In my experience running Write.as, when the error message was generalized, people would return to the site after a long time away, try to log in, fail, and leave because they couldn't remember their username. This at least helps them figure out what information is wrong and make better guesses. Since the majority of users making guesses will probably be legitimate users (instead of attackers), I think the usability gains are more important.

  • Usernames are used as public handles (e.g. write.as/matt), so you can always figure out whether a username exists or not by just trying out blog URLs, e.g. write.as/matts-secret-identity, easily circumventing any login protections. In fact, since an admin might not rate-limit normal blog URLs (whereas they might on the login endpoint), this would probably be a better attack vector, anyway.

  • Little information is generally divulged in a username, and brute-force attacks on passwords can be mitigated in other ways.

  • There are other security measures in place to protect the actual contents of a blog, even if the username / blog's alias is known.

But again, I'm open to any further input.

@marek-lach

This comment has been minimized.

Copy link

@marek-lach marek-lach commented May 8, 2019

Google's login process is that if you put in a correct email username, it will automatically accept it and then you just have to enter the password. If your email handle is wrong it'll say so:

Screenshot 2019-05-08 at 09 55 56

Microsoft's Live Outlook.com service is very similar to how they handle this, telling the user if they have entered the right login first, and only then asking for a password:

Screenshot 2019-05-08 at 12 58 42

There's an alternative option to cosider where 'forgot password' would just ask for the user's email address, and then the received email would be like:

Hello [username],

Renew your password by clicking here: [password reset link]

@thebaer thebaer added the not a bug label May 13, 2019
@thebaer

This comment has been minimized.

Copy link
Member

@thebaer thebaer commented May 20, 2019

Great points, @marek-lach. Thanks for the input.

It seems the current design is optimal, so I'll go ahead and close this.

@thebaer thebaer closed this May 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.