paint-brush
“username or password incorrect” is bullshitby@travisjeffery
50,184 reads
50,184 reads

“username or password incorrect” is bullshit

by Travis JefferyDecember 21st, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

There’s a <a href="https://hackernoon.com/tagged/security" target="_blank">security</a> best practice where sign ins aren’t supposed to say “password is incorrect”. Instead they’re supposed to say the “<em>username</em> or password is incorrect”. This “best practice” is bullshit.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - “username or password incorrect” is bullshit
Travis Jeffery HackerNoon profile picture

There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”. Instead they’re supposed to say the “username or password is incorrect”. This “best practice” is bullshit.

Stripe and GitHub’s sign ins for example follow this practice.

The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on.

Here’s the problem.

Stripe’s sign up page.

Shit, y’all know my username… Guess I’m fucked. Not to mention you could’ve just gone to https://github.com/travisjeffery.

All a hacker has to do is sign up to know whether the username is valid or not. Why bother then with obfuscating the sign in? Only the dumbest, laziest hacker is stopped by the “username or password is incorrect” sign in. You gain no security, yet your customers lose clarity.

Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. However this has been broken multiple times (1, 2) and likely won’t ever be perfect. Even if reCAPTCHA was perfect, a hacker could manually validate their usernames of interest by trying to sign up, then automate an attack on the sign in page.

To prevent attackers from knowing whether an account exists or not your signup must only take an email address and provide no feedback in the UI if the sign up succeeded or not. Instead the user would receive an email saying they’re signed up. The only way an attacker would know if an account exists is if they had access to the target’s email.

Barring that, “username or password incorrect” is just bullshit.

Please say hi at @travisjeffery.

Hit the 👏 and share if you found this useful.

Thanks for reading.