Are combined sign in / up pages dangerous, and how to improve them?

Question

I'd like to code a combined sign in/up page like the one in the picture below.

My colleague said this will allow spammers/hackers to see what email addresses are registered with our system and this is bad.

But surely this is no different than the way hackers can check email addresses on a normal sign up page where it says 'this email is already in use'.

Is my colleague right? Is my design more dangerous? If so, why, and how can I alter it to keep the one-page minimalist UI but still be safe?

You could instead of having the system decide let the user decide by a little button that says "I'd rather sign up" that modifies the form. — Tobi Nary, Mar 30 '16 at 14:43
I could. But I'd rather have the user do as little work as possible. 'Don't make me think', as the book says. In my form she neither has to click, nor even recall if she already has an account on the site. Regardless, the security question remains. — Richard, Mar 30 '16 at 14:54
That is rather a UX thing: If I'd like to sign up and get merely a user/password promt, I'd be made thinking. As to the security implications, I'm undecided but tending towards 'that is okay". From a UX perspective, that's horrible. — Tobi Nary, Mar 30 '16 at 14:57
Thanks Michael, Googling that lead me to this answer: http://security.stackexchange.com/questions/42872/user-name-enumeration. In summary, sign up pages can have CAPTCHAs on them, preventing attacks, whereas I wouldn't want to put CAPTCHAs on my sign in page as they are a nuisance to users performing a frequent task (signing in). — Richard, Mar 30 '16 at 15:07
you could add rate limiting, but you would only be able to block an IP address...that's not going to stop a determined attacker for long. or combine rate limiting with CAPTCHA (only show the CAPTCHA after the rate limit is exceeded) — Jay, Mar 30 '16 at 15:14
Note that Jeff Attwood, founder of StackExchange, had a blog entry on [this very subject](http://blog.codinghorror.com/the-god-login/) a bit over a year ago. He indeed suggested its best to combine the two as you are talking about. As usual with Jeff's blog, the comments are more important to read than the text, as they get into the details you are looking for. — T.E.D., Mar 30 '16 at 18:15

score 23 · Answer 1 · answered Mar 30 '16 at 15:14

But surely this is no different than the way hackers can get check email addresses on a normal sign up page where it says 'this email is already in use'.

Yes, you are right, and your colleague is wrong. The issue would also exist if the sign up page was not on the same page as the sign in page.

Any preventative measures for this issue can be implemented regardless of whether you have two pages or one combined page (for example, you could display and require a captcha when the user enters something in the sign up fields, and obviously in the backend you can rate-limit on sign up, but not on sign in - or both, to also prevent bruteforce attempts on the sign in).

That being said, the design seems rather confusing. It's not clear to me that this is also a sign in page, and I would expect a lot of people to accidentally sign up again because they are unsure on how to use the form correctly.

GMail [does this](http://security.stackexchange.com/q/88815/56961). — Michael, Mar 30 '16 at 19:11
Or you can not reveal at all that the email address is in use, and instead use a generic message asking the user to check their email to complete the sign-up process. A hacker spamming addresses will learn nothing, a legitimate new sign up will continue as normal, and a legitimate user attempting to re-use an email address will receive an email informing them of that fact. — Jon Bentley, Mar 31 '16 at 14:26

score 10 · Answer 2 · edited Mar 30 '16 at 21:38

10

Based on the answer suggested by Michael's comment on my question I've redesigned the page to:

Not tell anyone if the email exists in our database when signing in
Tell people the email exists if signing up, but it has a CAPTCHA to prevent automated attacks

Sadly this requires an extra click (the 'sign up' button) from users, but it's not the end of the world.

New design:

edited Mar 30 '16 at 21:38

Tobi Nary

14,302
8
43
58

answered Mar 30 '16 at 15:27

Richard

407
2
12

2

There are some sites that even attempt to hide that an email exists during signing up. For example, HaveIBeenPwned will always send an email to an address that subscribes to notifications (to avoid enumeration), but the content of the email changes. And I remember using a service at one point that did the same thing, but I'm not sure what service that was, and I can't find the email anymore. – Nzall Mar 30 '16 at 22:32
And don't forget to collect enough entropy to "generate safe password". – Eugene Ryabtsev Mar 31 '16 at 05:11
@NateKerkhofs Sending a different email but not showing anything different in the browser is one of the OWASP recommendations for things like "Forgot Password" forms. A lot of sites will say something like "If your email address is in our database, your password reset link will be sent to you" and the email will either have a link or will say "Someone (hopefully you) tried to reset your password, but there is no account on our site associated with this email address." – Moshe Katz Apr 06 '16 at 01:58

score 1 · Answer 3 · answered Mar 31 '16 at 05:48

1

I think that the form could be streamlined as follows:

Initial Form

Simple Username and Password, with two buttons - "Sign In" which does what it says it does, and "Sign Up (I'm New)"

If Login Attempted with Email Address which is Not Registered, or User Clicks "Sign Up", show the Registration Form

Pretty straightforward...

If Login Attempted with Email Address which is Registered, but Wrong Password

Give them a chance to try again, or to reset the password. Maybe even just show the "Reset Password" button if they try and login with the same email address but the wrong password more than X times.

Too Many Incorrect Passwords - Force Password Reset

answered Mar 31 '16 at 05:48

Luke Stevenson

141
2

This is almost exactly my original idea, but still doesn't prevent people from testing for registered emails on the system. – Richard Mar 31 '16 at 07:54
@Richard: I think it does somewhat protect against someone fishing for registered email addresses. Realistically, all systems will let that slip if you try and register with an email address which is already in the system, so going out of the way to try and make that obscure, at the cost of making the system confusing for your users, would result in a net loss. – Luke Stevenson Mar 31 '16 at 08:42

Are combined sign in / up pages dangerous, and how to improve them?

3 Answers3

Initial Form

If Login Attempted with Email Address which is Not Registered, or User Clicks "Sign Up", show the Registration Form

If Login Attempted with Email Address which is Registered, but Wrong Password

Too Many Incorrect Passwords - Force Password Reset