Ask HN: Incorrect user name and/or password

2 points by webwielder ↗ HN
Is not specifying whether a user has entered an incorrect user name or an incorrect password done for security reasons or is it jut bad UX? If it is done for security reasons, how much and in what way does it contribute to security?

5 comments

[ 13.1 ms ] story [ 26.7 ms ] thread
If the motivation is security than the effectiveness of the extra security is questionable. Even if a system uses this type of error message to stop people from testing for existing accounts the user signup or password reset pages will almost always tell you if an particular username is being used.
If I enter username_x and password_x as my parameters, and you say "the username is right, but the password is wrong", than as an attacker, I've just learned that a user account exists named username_x.

If I'm being malicious, this could give me better access to focus on password cracking, since now I have a known-good account to work against. I might design a system that just goes through a dictionary list of usernames until I get a decent list of users, then loop through them with password attempts.

Let's say I'm not an attacker, but an overly curious friend, boy/girl-friend, or employer of a particular user. If I try 'bmelton' as a username on, say, Monster.com, and my employer gets as message saying "the username is right, but the password is wrong", then my employer now knows that I'm a user on Monster.com. That might not be the end of the world, and is easy to explain away, but lets say the website is "hot_chicks_that_aren't_your_wife.com", and your girlfriend finds you have an account on there.

This is potentially compounded if you're using email addresses as usernames, since I could easily point to 'some other' Barry Melton[1] and say that 'bmelton' must be his account, but that's harder to pull off if it is my email address.

In short, it's a security issue that also happens to be bad UX. Perhaps if your website has no negative connotation (e.g., freekittensforcharity.com), then it doesn't matter, but you're still slightly more vulnerable to password attacks as I described in the first scenario.

[1] - http://www.counterculture.net/thefish/

But as slg mentioned below, it's trivial to check if a username/email is registered through the forgot password page. So some snooping significant other can still find out if they really want to.
The more secure systems I've been to don't acknowledge whether or not the account exists. I've actually seen a message that said something like

"If an account exists for that email address, it will receive an email shortly."

As I said (or meant to say) earlier, how anal you are has a little bit of luxury dependent on the nature of the site. If it's a social network, it's probably fine to show that usernames exist (unless their profiles are specifically flagged to be private), as part of the site shows that their usernames exist already. I could easily harvest usernames on HN here without ever having to test against the password form.

If your site is of a more personal, sensitive, embarrassing or whatever other situation you can concoct, then of course you'd want to adjust your username/password strategies accordingly.

Looking at security of a website, it has to be just the way it it. It should not prompt whether or not username or password is incorrect..and if it does, then it would be vulnerable. It prevents hacker to know about whether he has got right username or not? If he knows that then he can tryout various passwords using the username he guessed earlier.