2

Am I right assuming that by telling an attacker an email is or is not in the system the login is in fact weakened? Meaning if the attacker knows the email is correct he/she in fact already has 50% of the login details, no?

enter image description here

lowtechsun
  • 183
  • 6
  • 6
    Possible duplicate of [Is it unsafe to show message that username/account does not exist at login?](https://security.stackexchange.com/questions/158075/is-it-unsafe-to-show-message-that-username-account-does-not-exist-at-login), [New Gmail login system—going against conventional wisdom?](https://security.stackexchange.com/questions/88815/new-gmail-login-system-going-against-conventional-wisdom/88819) and probably others. – Steffen Ullrich Aug 29 '18 at 09:38

2 Answers2

2

This is one of the trade offs between security and usability.

In a perfectly secure world, you would get a message saying that the login information is incorrect (and not specify the user name/password field), leaving an attack unsure of which field to change for the next attack. From a usability standpoint, it is a much nicer error to see that the user has typed a password or email address wrong, so the user knows which to check.

Of course, Google's design (Microsoft's Outlook.com is the same way now) means they can't really tell you that either is wrong, just one or other other (by them asking for email and password separately).

Allen Howard
  • 241
  • 1
  • 4
0

yes, but email addresses are pretty public and easily compromised . Probably why they are switching to phone numbers.

Also the attacker only has gained <1% of the of difficulty require to brute an account.

user2505690
  • 72
  • 3
  • Please explain who is switching to phone numbers instead of email addresses and how that is less of a security issue? It’s much easier to brute force a phone number than an email address since there is a fixed length and set of characters. – Jesse P. Aug 29 '18 at 10:57
  • Microsoft. But it's not necessarily about brute force, or other attacks as that is pretty easy to detect. It's about authentication and how to identify a user. An email is generic and not necessarily secure. Phones are harder to take and act more like 2FA. Where email and password is single factor. – user2505690 Aug 29 '18 at 16:18
  • An email address and password are two completely separate pieces of information. Having one is not mutually inclusive of the other. Phones themselves may be harder to get from a victim than guessing an email address but, why would you need to get the user's phone when you can just con a phone support rep into performing a SIM swap or port-out request to a phone you do have (like a burner phone) to move the victim's number to a device you now control? – Jesse P. Aug 29 '18 at 16:23