86

I noticed that the new gmail login asks for username first, and then confirms if such username exists, before asking for password input.

Does this not go against conventional security wisdom to not divulge information about whether an username exists, to thwart the class of attacks that tries many possible usernames?

I assume Google knows what they are doing, so does this mean they have some way to be secure against what is conventionally considered a vulnerability?

bwDraco
  • 473
  • 2
  • 10
ataftoti
  • 945
  • 1
  • 7
  • 5
  • 87
    Does trying to register with some username not reveal the same information? – DrLecter May 08 '15 at 16:30
  • 2
    I've noticed baking websites do this as well. I expect it is to force multiple requests so click jacking is more difficult, but I'm curious to see someone write out all the benefits and use cases – amccormack May 08 '15 at 17:24
  • 1
    True, registering does reveal the same info. But now I wonder why I was always told not to return the "username does not exist" message for better security....is that just a misconception then? – ataftoti May 08 '15 at 18:20
  • 4
    I rather return a message saying "username or password is incorrect" that way a person doesn't know which one is bad. Telling them a username is bad does give one more piece of information – Wayne In Yak May 08 '15 at 19:55
  • 11
    In case of an email provider I believe it's already possible to numerate usernames by emailing them and looking at which ones get delivered (even if flagged as spam) and which ones bounce, so it's a bit less of an issue. –  May 08 '15 at 20:50
  • 13
    Connect through telnet to gmail and try sending a mail to a random ID. You will easily know if that ID exists or not. There are many other similar ways to know the existence of IDs. – shivams May 09 '15 at 00:38
  • 6
    This "conventional wisdom" is from a usability viewpoint utter idiocy -- I have to remember which of my 4 or 5 email addresses I've used *and* try every variation of my ten-or-so passwords to login? Well, I have better things to do than try to login 50 times so I'll just have to reset my password again... – Steve Dodier-Lazaro May 09 '15 at 17:23
  • Sorry, "baking websites" @amccormack? Terminology I'm missing, or cookery sites? :/ – OJFord May 10 '15 at 02:21
  • Should have been banking, sorry. – amccormack May 10 '15 at 02:23
  • 5
    The username doesn't need to be secret, that's why we have passwords. – JamesRyan May 11 '15 at 12:39
  • 8
    Completely agree with Steve. There needs to be more consideration of the usability aspects of security. Without it, users make bad security decisions to make their life easier. Our systems should make their life easier to help them make good security decisions! My other frustration with systems like this is not repeating the password rules (length, accepted characters etc) at login; it's public information (on sign up), so why make the user hunt around for it? – Rikki May 11 '15 at 12:52
  • 3
    Conventional security wisdom is that nothing matters except security. Which is obviously dumb. – user253751 May 12 '15 at 00:36
  • Just noticed that Adobe appear to do this as well. When entering your Adobe ID when signing in to Adobe Acrobat DC. The username/email address appears to be validated (gets a green tick) before entering the password. – MrWhite May 12 '15 at 12:57
  • 1
    @SteveDL — I agree with you : *“from a usability viewpoint”*. Sometimes, I too try different couples (user name ; password), this is annoying. But the Web sites are doing this for a good reason. As often, usability conflicts with security. – Nicolas Barbulesco May 12 '15 at 19:30
  • 2
    @NicolasBarbulesco I sincerely doubt 90% of the sites doing this have anything close to a threat model. :-) – Steve Dodier-Lazaro May 12 '15 at 20:19
  • Now I have to click two buttons to login. New login system isn't user friendly. – Bishan May 14 '15 at 04:11
  • 2
    @SteveDL No, you should use a password manager. – nyuszika7h May 23 '15 at 12:17
  • 2
    @SteveDL Also, you have only 10 passwords? I'm guessing you reuse the same password on multiple sites, then. That's a horrible security risk. Why don't you just use a password manager, which doesn't really have any disadvantages? – nyuszika7h May 23 '15 at 12:24
  • @nyuszika7h there are plenty of valid reasons why someone would not want to use a password manager... – Steve Dodier-Lazaro May 23 '15 at 12:27
  • 2
    There are no valid reasons for reusing the same password multiple times, other than laziness, though. Also, what is **your** reason for not wanting to use a password manager? – nyuszika7h May 23 '15 at 12:27
  • Related discussion: [Is having the username and password fields on different pages more secure?](https://security.stackexchange.com/q/85160/32746) – WhiteWinterWolf Aug 05 '15 at 14:17
  • **On 25th May 2018** the world has changed, especially in the European Union when the GDPR came into play, which says we shouldn't leak Personal Identifiable Information (PII). – pepe Apr 24 '22 at 14:36
  • What about this approach? https://tomssl.com/how-and-why-you-should-prevent-account-enumeration-on-your-website/ – pepe Apr 24 '22 at 16:40

10 Answers10

67

For smaller sites, you don't want to allow hackers to enumerate your user lists, but for Google, the site is so large, one can assume almost everyone has an account or several accounts. So, the risk is minimized after a threshold of ubiquity.

It is still a good idea for most sites to not disclose whether a username exists, but the risk needs to be weighed against the new user registration process. What you want to prevent is an automated process from enumerating your lists. The new user registration process should include some form of delay or gate so that a script can't rapidly try a dictionary of users. This is often achieved by sending an email with the results of the un/successful registration process. Yes, one could still enumerate, but there is a delay and an additional step.

Another thing to consider is the difference between a public site and a private site. Google is a public service an usernames are also public (disclosed with every email sent by an account). On the other hand, an internal corporate site, where only current employees can access, is private, and requires more stringent controls to prevent enumeration.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Actually, usernames are not disclosed in email addresses. An email address could appear as joe.bloggs@gmail.com but that user's username could be j.oeb.loggs@gmail.com. With Gmail, dots are immaterial in email addresses, but crucial in validating login ids. – Andrew Leach May 09 '15 at 12:35
  • 26
    @AndrewLeach Google lets me log in if I leave out the dots, they seem to be parsed out for logon as well. – Eric G May 09 '15 at 16:27
  • @EricG then there's that ... – schroeder May 09 '15 at 16:30
  • 1
    That's changed, then; they used to make a point of the difference. Perhaps people couldn't cope with it being different. It seemed reasonable to me, and I don't recall an announcement about the change (but then I don't suppose they would announce a reduction in security, even if it's only security by obscurity in the first place.) – Andrew Leach May 09 '15 at 17:16
  • 1
    When dealing with login forms, hiding whether a user's username / email address is correct also makes it exponentially hard for users to remember which password they used on the site. – Steve Dodier-Lazaro May 09 '15 at 17:24
  • 1
    It's surely also possible that they check (so far as possible) for such automated enumeration? If a 'user' tries more than some (quite low) number of usernames, it'd be a fair bet they're not a genuine user. – OJFord May 10 '15 at 02:26
50

Jeff Atwood, when making the login for Discourse, had this to say on the subject:

This was the source of a long discussion at Discourse about whether it made sense to reveal to the user, when they enter an email address in the "forgot password" form, whether we have that email address on file. On many websites, here's the sort of message you'll see after entering an email address in the forgot password form:

If an account matches name@example.com, you should receive an email with instructions on how to reset your password shortly.

Note the coy "if" there, which is a hedge against all the security implications of revealing whether a given email address exists on the site just by typing it into the forgot password form.

We're deadly serious about picking safe defaults for Discourse, so out of the box you won't get exploited or abused or overrun with spammers. But after experiencing the real world "which email did we use here again?" login state on dozens of Discourse instances ourselves, we realized that, in this specific case, being user friendly is way more important than being secure.

Michael
  • 2,391
  • 2
  • 19
  • 36
  • 6
    Very interesting conclusion. Basically, they would rather cope automatically with users who can't remember which login name they used, than keep their user list secure from brute forcing. I can't speak for them, but it sounds more like they are saying "minimizing support volume is way more important than being secure." – Jeff Meden May 08 '15 at 20:40
  • 7
    Lowering support volume is also (usually) more user friendly -- being hard enough to use that a significant number of users need to contact support is the opposite of good usability. – Johnny May 09 '15 at 00:10
  • 33
    Security is not about applying arbitrary rules and best practices. It is about understanding how all of your controls and countermeasures work together and the relative value, in consideration of providing the actual service. The risk value of username enumeration goes down if you have mitigating controls that address the usefulness of knowing the username (e.g., IP address monitoring for attempted logon, failed attempt lockouts, blacklisting attackers, etc.) – Eric G May 09 '15 at 16:25
  • 1
    @JeffMeden see Tom Leek's answer [here](http://security.stackexchange.com/questions/42872/user-name-enumeration) - the "security" provided by hiding usernames is minimal at best. – Jason May 12 '15 at 18:13
36

For Gmail, you can determine whether an account exists simply by sending an email to an @gmail.com address. If it bounces, that account does not exist.

This is true of many email providers. Here, usernames are not considered secret. If a user has the email address foo@example.com everybody knows that foo has an account at example.com with username foo@example.com.

However, for most other systems it is a breach of privacy to reveal usernames. If someone can discover that bob@example.com has an account at nostringsattacheddating.example.org and Bob's wife Alice can try registering with the username bob@example.com on the website and it tells them the username is already in use then it is a massive breach of privacy.

Remember that email address has its roots at the email provider. There is no privacy lost if eve@example.com is known to have an account at example.com, as there is no point of reference for who eve@example.com is. The same isn't true for another system using email as the username - a user with username mallory@example.com on a non-email website will be the same mallory@example.com as registered at other websites. There is privacy to protect about which accounts Mallory has.

Also, revealing usernames can be useful to an attacker. This is known as a username enumeration vulnerability. If an attacker knows which usernames exist, then they can run a password guessing attack.

As an attacker if I can use your login or forgotten password page to narrow my list from 10000 targets to 1000 targets, I will.

It also allows attackers to target users of the system via phishing.

It is easily possible to design a system where user enumeration cannot be executed. For example, the sign-up and forgotten password processes are one and the same.

The steps are:

  1. The system asks for their username (email) on a single page, with no other input fields.
  2. When the form is submitted the system asks the user to check their email account.
  3. If the account exists, the email contains a password reset link.
  4. If the account does not exist, the email contains a sign-up link.

As a bonus, you've validated their email address at sign-up in case they need to reset their password at a later date. Any typos will mean the user can't sign up at all - which is good because a user isn't accidentally using an account registered to a different email address.

Both the password and sign-up links contain a cryptographically secure random ID, so they cannot be followed without receiving the email. Only someone with access to the account can find out whether a username is registered or not (Bob better keep his email and laptop passwords secret from Alice - it would be wise for him to turn off any notification sounds in case Alice tries this process when they're in the same room too).

See some of my other answers for related topics:

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • "For Gmail, you can determine whether an account exists simply by sending an email": this isn't true in general. If you send too many emails to non-existing addresses, you'll get blocked. – Nemo Aug 02 '16 at 20:52
10

I'm sure that rule developed in the days of 'big iron', when all accounts were on big corporate or government systems. Since the system doled out the account names, the use of a sign-up page to look for account names wasn't an issue. Thus, keeping the list of account names was feasible & useful.

Now that we're dealing with self-sign-up sites, it is impossible to keep the account name list secret. Plus, so many people these days make their account name public anyway. Under these conditions, it's pointless to try to hide the fact the it was the name that failed instead of the password.

Jerry B
  • 201
  • 1
  • 3
10

There's a more important reason for prompting for username first and then prompting for password: it allows Google to offer a different UI for accounts that are using passwordless authentication or other experimental login mechanisms without revealing beforehand which accounts are using it.

It's similar to how Google's 2Factor auth UI isn't displayed until after the password is entered: an attacker won't even know that a second factor is involved until after cracking the first factor.

Combined with what other answers are saying here about the relative non-risk of leaking usernames, this seems to me to be actually a security improvement.

user76196
  • 101
  • 2
9

Knowing which username exists or not is not important, because an attacker can also check it from the sign up page. Google does not allow that an attacker runs an attack like brute force attack for obtaining a username list.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Ali
  • 2,694
  • 1
  • 14
  • 23
  • So basically the rule "don't return 'user doesn't exist' at login" is a myth? Did it ever make a security difference? – ataftoti May 08 '15 at 18:22
  • 4
    It does make a security difference. For example, I have a Jira instance that people log into. I created the accounts for my team, it isnt self sign up. Thus, the only way to disclose the username is through the signup process. It all comes down to usability tradeoffs. On public sites, there often exists a need to tell people if a username exists or not, but that doesn't mean that exposing that information isn't a risk. Designers should understand what they are exposing and put other technical limits to ensure it can't lead to widespread abuse. – amccormack May 08 '15 at 18:58
  • 1
    The ability to check from a sign uppage is not universal. The best practice is to say an email has been sent to that address even if it already exists and alert the person that someone tried to sign up again with their account or just don't send out the email again. Also, its important to distinguish between and email address and a user account. A user account on something like Internet banking is usually not public and should be protected versus something which by definition must be public. – Eric G May 09 '15 at 16:23
  • 2
    This "conventional wisdom" is [tag:security-theater] mostly. – Steve Dodier-Lazaro May 10 '15 at 05:20
5

Email addresses are not the same as usernames. A username is semi-private information (potentially), but an email address is publicly disclosable and publicly routeable. Think about postal mail, the mailing address if often well known, but the current list of valid recipients is not necessarily design to be public, although there are often ways to look that up online as well. In the case of something like Google, they have Google+, YouTube, Google Groups, etc. which make many of the addresses already well known.

It's also trivial to query an email server and determine if a given email address exists, using telnet or many websites will do it for you. There is little to gain from protecting information which is easily accessible in other ways. This is why some sites separate the email address for the username. In the case of an email provider, it doesn't really make sense to have a different logon name and then email address for the average user (maybe those of us who are more security paranoid would like that feature).

Switching to a two-step logon reduces the likelihood that a user's password will be entered into a search field or the username field. These fields are often logged and the logs get correlated all over the place and are less likely to be secured. So if the logs are attacked by a hacker or nation state, then the attacker may be able to correlate the IP address from the user with their username and then notice something like "m7p@55w0rd!!!!" which sticks out and assume its a password.

In terms of risk management, the risk of password exposure is much greater than the risk of username enumeration. Google likely has more robust anti-fraud and anomaly tracking to deal with the risks associated with known usernames.

I think a good way to understand this is the Tire Swing example in the FAIR introduction (pdf). The risk calculation of a known username is impacted by the other controls and factors. Do you stop brute force attacks, require multi-factor authentication, how else could this information be obtained? In the scenario, effectively you are trading off between a risk that you have control over (monitoring of all logins) versus something on the old form which is harder to control (password being typed by user into the wrong area).

Eric G
  • 9,691
  • 4
  • 31
  • 58
4

I'm going to go out on a limb and say they likely have some mechanisms in place to ensure it isn't an open repository of users.

We implemented a similar system on our little site using a redis backed solution.

Users are initially presented with a simple email/pass with a button for login and register. Upon entering their email and moving on it's checked for a match and if matched the register button is removed. If not they are presented with the full register form.

We track the number of attempts by ip subnet and blacklist after a given threshold. Blacklisting doesn't impact their ability to use the site, it simply reverts to the standard behavior of login/register options.

  • 1
    A spammer who wants to build an account list can rent a botnet to get around blocking by IP subnet. – Christian May 09 '15 at 10:09
  • 1
    True. That being said if Google wanted to (though other answers suggest plenty of valid reason why they may not care) they could employ other abuse prevention mechanisms. For instance tracking deviations from standard failure rates and reverting behavior globally – andrew.carpenter May 11 '15 at 01:42
4

Yes, they have systems in place to prevent abuse. Google has extensive "anomaly detection" mechanisms, which serve errors or captchas when your activity is suspicious: the best known examples are blocks from Google search and the NoCaptcha ReCaptcha.

The fact that you were allowed to know whether that account exists doesn't mean that everyone would nor that you would be able to actually guess anyone else's username. Try and let us know how long before you're blocked, it's an interesting test.

Nemo
  • 149
  • 8
1

Pretty much everyone is already doing this

I noticed that the new gmail login asks for username first, and then confirms if such username exists, before asking for password input.

Google already has this feature. When you try to sign up for a new Google account, it has to check to see if the username already exists or not.

Does this not go against conventional security wisdom to not divulge information about whether an username exists, to thwart the class of attacks that tries many possible usernames?

If they didn't check, how would you properly authenticate? Multiple people with the same username is bad news bears for the integrity of the website. Of course, in many cases, you could use unique email addresses, and allow multiple people to have the same names.

Like I said before, pretty much everyone is already doing this in some way. There is nothing to worry about here. If you want to slow down mass enumeration of usernames, just include a captcha after a few attempts.


Captchas can't really prevent mass-mailing tricks

Spammers frequently send out large amounts of spam to e-mail addresses. While Google may shove the email into the spam folder, that doesn't prevent enumeration through non-bouncing emails.

It's trivial to create a mass-mailer which uses thousands of different IP addresses, and then attempting to enumerate by not receiving a bounced email. You could even send random garbage. Remember, if your goal is to verify whether an email address exists or not, it will suffice to not receive an error email after a few days.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91