For example, if one enters an incorrect username and/or password, you do not tell them whether the username or password is incorrect. Confirming that a username exists is useful information to someone who is trying to gain unauthorized access: it allows them to narrow their attack to a known username and/or combine the username with other info to aid in guessing or otherwise gaining access to the password. Such information is useful in social engineering.
GIVEN that not disclosing information to the unauthorized in error messages is a practice that is expected of any competent web application developer
AND that Healthcare.gov is a system many are required by law to use
AND that Healthcare.gov contains private information,
THEN let's take a look at what we get from Healthcare.gov :
FAIL!
PS: Given a real constraint on unique user names obfuscating the fact that a username exists may not be easy. However, one could at least present a more ambiguous error message along the lines of "That username is invalid. Please try another." Or, let the system generate the usernames in a way that no conflicts are created. (See comment below.)
PS: Given a real constraint on unique user names obfuscating the fact that a username exists may not be easy. However, one could at least present a more ambiguous error message along the lines of "That username is invalid. Please try another." Or, let the system generate the usernames in a way that no conflicts are created. (See comment below.)
So, how does one create a unique username without exposing what other usernames exist in the system?
ReplyDeleteOne approach I've seen used is to:
1) Get a username from the user
2) Generate a few random characters
3) Append those random characters to the user-provided username
4) Check if the username (consisting of user-provided and random characters) exists. If it does, try a new set of random characters.
5) Tell the user what username has been generated for them.
This mix of a user-provided name and a few randomly generated characters provides a username the user should be able to remember without exposing what usernames exist.
If you know of other approaches for protecting usernames, please share them.
Nice Tricky approach..But in which website, have any one implemented?
ReplyDeleteInstead of only "username is incorrect OR "password is incorrect"
ReplyDeleteCan we have "Invalid Username/Password." as error message?
What kind of error messages can we have?
Knowing that user name exists I don't think is as bad as you say. This is what Google returns strait away when you try to create an account with an existing email address: "This email address already corresponds to a Google Account. Please sign in or, if you forgot your password, reset it."
ReplyDeleteGoogle usernames are part of public profiles. Google also offers users the option enable a 2-step account info recovery that contacts them by phone as well as email.
ReplyDeleteHealthcare.gov is a system that collects personal information that would be a goldmine for identity thieves. A system like Healthcare.gov is deserving of a higher standard. I'm not an attorney, but revealing this information appears to violate the site's own privacy policy and the Privacy Act of 1974.
Exposing usernames and email addresses contributes to making the site less secure when Healthcare.gov also:
* Keeps the same password reset code without changing it with each use attempt
* Sends usernames and password reset codes via insecure email -- together
* Reveals email addresses that go with a username
* Doesn't notify old email address of email address changes
Confirming intercepted or guessed passwords is the first step in taking advantage of many other potential security vulnerabilities.