1

When entering username and password credentials, it's considered more secure to provide a generic login failure for different failure reasons (unknown account, wrong password, etc.) (ref: http://shiro.apache.org/10-minute-tutorial.html - there might be a better one).

That obviously increases the number of combinations a (brute-force) attacker has to try, but is not as helpful to the user as possible and might even lead to severe frustration if he/she is by accident convinced that the username is correct.

Is there a drawback to exposing the specific login failure reason to the user/potential attacker and compensating the decrease in number of combinations to try with more complex passwords?

Limit
  • 3,191
  • 1
  • 16
  • 35
Kalle Richter
  • 184
  • 1
  • 7
  • 1
    This similar question doesn't address the password complexity compensation angle, but does talk about the pros and cons of login error clarity: http://security.stackexchange.com/questions/62661/generic-error-message-for-wrong-password-or-username-is-this-really-helpful – PwdRsch Jan 25 '17 at 02:00

2 Answers2

1

I believe your proposal of increasing password complexity successfully mitigates the increased risk of exposing username information, especially if you consider that most registration pages already allow you to enumerate usernames by trying to register existing ones (albeit typically behind a CAPTCHA).

However, even if there isn't any drawback from a security standpoint, if the choice is between:

  1. Display generic (less helpful) login messages.
  2. Display more helpful login messages in conjunction with increasing the minimum password length by (for example) at least 4 characters.

It's likely that with #2 the collective increase in annoyance for all users is greater than the amount saved.

TTT
  • 9,122
  • 4
  • 19
  • 31
1

The reason why this question is more complex than it first might appear is that user chosen passwords are subject to human factors and specifically the habit of people to choose passwords that are memorable and as simple as possible even given complexity requirements i.e. users are smart at finding passwords that meet complexity requirements but are actually from a more guessable set.

If you give a lot of information away about why a password attempt has failed then from a purely mathematical point of view you can overcome this by increasing complexity requirements, but this doesn't take into account user behaviour which may negate the additional complexity.

Brute forcing can be guided, and increasing (for example) password length doesn't necessarily provide the apparent key space to search because heuristics still apply. Also remember that complexity requirements can reduce the key space from the maximum space that is just based on length - at least heuristically. Think of the old complexity requirement to use at least one digit and users just appending a 1 on the end of their favourite password! Easy to create heuristic based password guess algorithms for - this doesn't increase the key space by an additional character set in reality.

Having said this I'd live with the risk if the complexity increase was substantial and the complexity requirements weren't too simplistic or easy to circumvent in some way.

David Scholefield
  • 1,824
  • 12
  • 21
  • Suppose you sign up for a website and are told your password must be at least 12 characters. How would the increased complexity of 12 characters, over, say 7 characters, be negated by user behavior? – TTT Jan 26 '17 at 05:42
  • 'Complexity' in the question isn't the same as 'length', but even with just increasing the length, users are happy to do daft things like repeating shorter passwords, or just adding duplicate characters on the end of short passwords to 'make them work'. My passoword brute forcers start with the kinds of patterns I see complexity requirements encouraging users to adopt to circumvent more random looking combinations. – David Scholefield Jan 26 '17 at 07:33
  • OP didn't define "complex" to mean "longer", but by exposing the validity of the username you are reducing the number of brute force combinations, and the easiest way to compensate for that is by increasing the minimum length of the password. It's true that users could do stupid things like repeat their password, but in general, a 12 char minimum is going to be much more difficult to crack than a 7 char min, even with added intelligence to a cracker utility. But, I do agree *some* user's longer passwords will likely get cracked just as easily from stupidity. – TTT Jan 26 '17 at 13:41