7

Let's suppose a website has a login page with "Email or Username", and shows the username publicly to every user on that site.

Does that make it easy for an attacker to hack other people's account?

Naman
  • 175
  • 7
  • Tangent: even if it's not a security problem, it may be a privacy problem. You need to allow opt-out/opt-in, or at the very least be crystal clear that membership is publicly documented. Depending on jurisdiction, that is likely to be a _legal_ requirement. – Lightness Races in Orbit Jul 02 '16 at 14:02
  • You mean like the usernames are shown publicly to everyone here? – VLAZ Mar 02 '19 at 09:01

4 Answers4

14

The email and username are normally both considered to be public pieces of information so it shouldn't make much of a difference. Not having those pieces of information publicly available might slow down a hacker for the length of a Google search.

If you're going to make it public, maybe just add an extra digit onto the minimum password length to compensate.

Crizly
  • 2,597
  • 4
  • 18
  • 29
  • 4
    _"maybe just add an extra digit onto the minimum password length to compensate"_ This irresponsibly gives the mistaken impression that adding a digit to minimum password length has any noticeable effect whatsoever. – Lightness Races in Orbit Jul 02 '16 at 14:01
  • there is a possibility that the search result from Google may be wrong or inaccurate. oh, the life of a bruteforcer. – JOW Jul 04 '16 at 09:06
3

By having the username be shown publicly you are giving attackers another piece of the puzzle before they are launching the attack.

For example:

Assuming you can brute force Facebook, if Facebook showed some part of their users login information an attacker wanting to preform a brute force will just need to navigate to their victims page and get the login info and start the attack.
But if they had to find the login information the attack will be so much harder. They will have to preform some sort of Social Engineering/OSint in order to find the login information which can sometimes result in nothing (Notice that Facebook does sometimes supply the accounts username when visiting the profile but they do prevent brute force attacks).

What should be done?

  • If there is nothing you can do about it and you need to display the username which is also the account login then have the maximum security you can in order to prevent any attack on the user (Including in the forget password section).

  • You should allow the user to hide the username and have a display name instead (For example my display name is Bubble Hacker but my username is different)

Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • 2
    Just a note, but Facebook *does* publicly show a part of the user's login details - their vanity URL. If you Google a random name, and click on their profile most (not all) take you to `http://www.facebook.com/` and you can use that as the username to log in (along with a password of course). – Vitani Jul 01 '16 at 14:30
  • @Jocie This is exactly why I wrote *"Notice that Facebook does sometimes supply the accounts username when visiting the profile but they do prevent brute force attacks"* – Bubble Hacker Jul 01 '16 at 14:33
  • Ah I totally misunderstood what you said, my bad! Sorry, I blame it on it being a Friday afternoon :o) – Vitani Jul 01 '16 at 14:39
  • @Jocie Don't we all ;-) – Bubble Hacker Jul 01 '16 at 15:44
3

First of all, maybe the user doesn't want it to be publicly known that he is using the site. So it might not be a good idea to show this information without approval.

To answer you question, in a normal situation, an attack should know the e-mail before trying to conduct a brute-force attack. If you give away all the e-mail addresses it will simplify the job of the attacker.

However, some attackers are not trying to hack your website, but rather have obtained credentials via another way (hacking into e-mail). Then they will both have the e-mail address and the password, so it won't really matter.

But anyway it allows hackers to create an index of which services/applications a user is using and that is a violation of privacy. So unless you have user approval and a good reason, I wouldn't post all the e-mail addresses or user names.

I think this is kind of a straight-forward questions.

techraf
  • 9,141
  • 11
  • 44
  • 62
Silver
  • 1,824
  • 11
  • 23
3

If usernames are listed and the same username can be used to authenticate, then this sounds like a user enumeration vulnerability.

So if I want to attempt to gain access to the system, I can simply take the username list and then try a password list of the top 10,000,000 passwords against each username in turn, taking care to strip out those that do not match the minimum password complexity rules for the site.

If I try each password first, then try against each user and do this sufficiently slow enough and there are enough usernames, then I can avoid any lockout policies that lock accounts after a few bad guesses.

e.g.

Username        Password

bob             123456
alice           123456
ken             123456
...10,000 attempts later...
bob             password1

If there are any IP based lockouts, I use a large array of proxy servers to randomly loop through for each request.

If usernames are known, then it might be better to only allow logins with an email address and password combination, as emails will be more private.

Of course, the site still needs to be protected against user enumeration. This means never revealing anywhere whether a particular email address is in use on the system. This includes signup forms, forgotten password forms and login. See this answer.

On some systems this is not viewed as a vulnerability. Eg. webmail logins where usernames are public anyway (everyone knows bob@gmail.com has an account at gmail), or large scale social networks such as Facebook where the number of people with an account is pretty much everybody and there's not much to be gained in narrowing down a list of email addresses to those with accounts.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178