Help me settle an discussion among colleagues and guide future design:
Even in a high impact scenario: e.g. protecting payment application or government gateway but in an Internet accessible application
Is it worthwhile implementing any of the following (or other) measures to protect a username:
Requiring a complex system generated username like the UK government gateway or HSBC on-line banking? Is the trade-off in terms of users forgetting this, needing to write it down, the additional call center traffic, users having to self service username reminder worthwhile vs the risk of using a public username such as email address or mobile number?
Providing a generic message: "your username or password was incorrect" instead of more user friendly "your username was not recognized" and "your password was incorrect"
Using the following type of login sequence where a site-key or user selected personal pass-phrase to assist in identifying phishing sites is used:
- Enter username and simple secret value (e.g. postcode)
- If invalid they are provided an error: username or value is incorrect
- If these are valid the users personal site-key image is shown and the password is requested
- If invalid password, error message incorrect password
- If valid access granted
As opposed to the more friendly way on say Quora.com where you get shown your picture on correct username entry. Is this acceptable only on low risk Q&A site?
My colleagues argue for keeping usernames secret and the above type measures:
- Mass username enumeration allows you to try dictionary and bruteforce attempts against a site
- it enables you to dos a site by locking all the accounts where account lockout is enabled
- Users like to use the same username and password across sites and many sites use e-mail address and mobile number for their sites. If users share credentials between sites, then credentials could be stolen or phished from the other sites and then used to access your site
- Publicly known facts, such as mobile and e-mail, do not count towards authentication strength. If username is a known fact, to maintain the same level of security the password must be significantly stronger to make up for the statistical difference e.g. if username and password both have min of 6 characters, then assuming 52 possible characters we have 52^12 combinations. However, if username is a known fact then that becomes just 52^6 combinations; you have to increase the password to 12 characters minimum to get the same level of protection – failure to do this would increase account takeover risk.
I counter for each:
- Your real control against this is password length, complexity and account lockout policy
- You can mitigate this by having auto unlock after period of time (e.g. 5 - 30 mins), have a mass unlock function, have exponential back-off or IP banning for a period of time after a number of bad attempts, selective anti-automation controls (e.g. Captcha, Roboo script) displayed after a number of failed attempts
- User education, a second authentication factor, adaptive authentication (e.g. step-up or graduated authentication based on device ID, location etc) would be better defenses against this
- I see username as identity and password as authentication. If you want a stronger authentication make the password longer or require 2 passwords - leave identification alone
Happy to learn and change my position. Thanks in advance.