Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

It is really common (and I would say it is some kind of security basic) to not s

ID: 661175 • Letter: I

Question

It is really common (and I would say it is some kind of security basic) to not show on the login page if the username or the password was wrong when a user tries to log in. One should show a generic message instead, like "Password or username are wrong".

The reason is not to show potential attackers which usernames are already taken, so it'll be harder to 'hack' an existing account.

Sounded reasonable for me, but then something different came on my mind.

When you register your account, you type in your username. And when it is already taken, you get an error message - which is not generic!

So basically, an attacker could just grab 'correct' user names from the register page, or am I wrong?

So what is the point about generic messages than? Non-generic messages would lead to a much better UX.

Explanation / Answer

No, you are correct that at some point during efforts to prevent attackers from determining valid user identities you will either have to lie to them or provide exceptionally vague error messages.

Your app could tell a user that "the requested username is unavailable" and not be specific as to whether it was already in use or just didn't meet your other username requirements (length, character usage, reserved words, etc.). Of course, if these details are public then an attacker could work out that their guess failed due to the account being in use and not due to invalid format.

Then you also have your password reset system. Do you accept any username/email address and say a message was sent even if that account wasn't in your database? What about account lockout (if you're using it)? Do you just tell the user that their credentials were invalid even if if they weren't but instead their account was locked out, hoping they contact customer support who can identify the problem?

It is beneficial to increase the difficulty for attackers to gather valid usernames, but it typically is at a cost of frustrating users. Most of the lower security sites I've seen do use separate messages identifying whether the username or password is wrong just because they prefer to err on the side of keeping users happy. You'll have to determine if your security requirements dictate prioritizing them over the user experience.

Related Questions

It is possible for an electron and a positron to orbit aroundtheir stationary ce
Question #1669644
It is possible for one person to have an absolute advantage in something even if
Question #1231200
It is possible for some fundamental particles to violateconservation of energy b
Question #1735250
It is possible for some fundamental particles to“violate” conservation of energy
Question #1724711
It is possible for two companies to have the same financial performance, but the
Question #2742544
It is possible that a user enters a lower case and i want to change it to upper
Question #3798562
It is possible that one of these might not be able to be a reaction! 1. A piece
Question #839519
It is possible to \"weigh\" DNA molecules and other biological particles by meas
Question #1915877
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
It is raining, and there is no wind. When you are sitting in a stationary car, t
Next
It is reasonable to assume that the bulk modulus of blood is about the same as t

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.