1

Developers are dogmatic on having "invalid username or password" on login screens; our applications should not reveal if somebody is a member given an email address.

But there are two other ways our application can reveal a member:

  1. the signup page returns a "this email was registered by somebody else" (often this is a dedicated endpoint for Ajax)
  2. the reset password page has a "your link has been sent to your email" or "provided email does not exist in our records"

Why are we only worried about the login screen revealing membership? Should we plug these holes as well?

The "provided email does not exist in our records" on reset password page is useful when we have entered a wrong email or we signed up with wrong email address. Example: I am named Raj, have wrongly signed up with ral@example.com (mispelled J) and I try to send a reset request to raj@example.com.

Anders
  • 64,406
  • 24
  • 178
  • 215
Jesvin Jose
  • 499
  • 1
  • 5
  • 10

2 Answers2

2

If this is supposed to be a secure system to that extent and since the email address is disclosed elsewhere, the developers could make the username a randomly generated number instead of the user's email address. This closes the information leakage gap.

For instance, for a generated numerical username:

  • Failed login: "Username incorrect"
  • Failed password: "Password incorrect"
  • Already registered: This error won't occur with a surrogate username key unless you have a company policy that people (e.g. in a family) can't use the same email address.
  • Password reset (by username): Email address isn't disclosed as message can say "Reset link has been sent to the email address associated with this username."
  • Password reset (by email address): "Reset link has been sent to this email address for all accounts that are associated with this email address."

Besides, the either/or fallacy of login field validation adds only a few bits of extra entropy to the overall brute force security whilst decreasing usability. Just increase the minimum password length requirements to gain the same effect sensibly. One assumes that exponential delay exists on the password attempts in any case.

LateralFractal
  • 5,143
  • 18
  • 41
  • The email address is the unique key, and its a public-facing application. – Jesvin Jose Oct 13 '14 at 08:59
  • @aitchnyu Surrogate primary keys are easy to create, I'm surprised this isn't occurring under the hood. If the username is intended to be user friendly, a better choice than an email address would be replacing your authentication with an OpenID arrangement or the Google Authenticator API, taking the entire problem off your hands. – LateralFractal Oct 13 '14 at 09:16
  • Unfortunately OpenID Connect is the future of OpenID and it's been associated with social networks aka OAuth. So now signing in with google, whether its OAuth or OpenID, its like asking "would you like to share all of your contacts with us? Would you like to spam your friends with an advertisement for us?" – Andrew Hoffman Oct 13 '14 at 19:35
  • Which is a crying shame, cause I'm a big supporter of bringing your own identity. Friggin OAuth.. – Andrew Hoffman Oct 13 '14 at 19:36
0

There is usually a trade-off between security and usability. As a web developer, you have to decide what level of security is required for your application and strike a balance between the two.

As correctly pointed out by you, there is an inconsistent treatment on the protection of email addresses on many websites. The reason is fairly simple:

  • A login page requires only an email address and password, which makes it pretty easy to make several attempts in a short time.
  • A signup page takes a greater amount of time to fill in manually.
  • It is possible to implement CAPTCHA on both password reset page and signup page to prevent automated enumeration of email addresses.

By hiding the fact that an email address is already taken up (on registration), or that an email address is wrong (on password reset), the consequence is that legitimate users who make a typing mistake are not able to sign up, or reset their password and they wouldn't know what is the problem. The cost is either you lose a customer or it increases the workload of your help desk, and adds frustration to your users.

In the case of showing a generic login error, as long as the email address remains on screen after a failed attempt, it is not difficult to tell whether the email address or password is entered wrongly. The inconvenience of not being told which is wrong is quite inconsequential.

If your security requirement is so high that email addresses must be kept a secret, then it should never be used in your authentication system. Try usernames instead.

Question Overflow
  • 5,220
  • 6
  • 27
  • 48