3

I see that almost every website and service won't tell you if you got your username or password wrong but wont tell you which one.

The reason I always see for this is it allows an attacker to work out which users are in the system, but for almost every website I can already work this out by visiting the profile of that user which will either give me a 404 or show the user page for that user or I can try to sign up using an email which will tell me if an email/username address is already taken often even before hitting submit.

Why is it that these services which allow easy lookup of user IDs still try to hide the fact that the username exists when you sign in? From my perspective it almost seems like this is a similar situation to What technical reasons are there to have low maximum password lengths? Where in one case something was helpful and then everyone copied it to the point where it was used outside of it's helpful situation.

Qwertie
  • 778
  • 6
  • 11

1 Answers1

2

Obviously, if there are other techniques for enumerating the users, then having the single message is of little use. But many forums only allow you to see user profiles once you are logged in, and if the forum is invite-only, then you would not be able to use this. Most likely, they are designing the login system for any case/combination of login system.

Naturally, in higher security applications (banking, etc.) steps are taken to try to ensure that there is no way to enumerate all users on the site, both through the login form and through other mechanisms on the site.

David
  • 15,814
  • 3
  • 48
  • 73
  • So if your website allows signup via email or showing user profiles then there is no risk in telling the user that it's the password they entered wrong? – Qwertie Jan 15 '18 at 03:43