I\'ve got a login page with a form where they can input their account\'s email a

Question

I've got a login page with a form where they can input their account's email address and password.

I'm doing the following things before even attempting to authenticate a user:

- Validating the email address for correct format.

- Validating the password for not being empty.

If any of these are invalid, I report back with the validation errors like:

- "You did not enter an email address." and/or "You must enter a password.".

It's also susceptible to timing attacks since password verifying is not attempted when there are errors.

Would it be safer to just accept any input and just report back with a generic "Login failed." error?

Explanation / Answer

Sorry, I do not get the part on your concern with timing attacks. As long as the passwords are properly hashed and the comparison is done on the hashes, your application should be safe from this kind of side channel attack. Whether a database call has been made or not (2s vs 1s) does not leak any information on your password.

It is always good to validate form inputs, regardless of whether they are stored in the database, in case your database query is susceptible to an SQL injection. This strategy is known as defence in depth. You never know when your query parser is made vulnerable by some weird user input like the recent shellshock exploit.

There is really not much of a security issue whether you report the failed login by showing individual errors of or by grouping them together. What an attacker can gain from here (whether an email address is valid) can also be gleaned from the registration page by trying to register with that email address.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.