

Ask HN: Incorrect user name and/or password - webwielder

Is not specifying whether a user has entered an incorrect user name or an incorrect password done for security reasons or is it jut bad UX? If it is done for security reasons, how much and in what way does it contribute to security?
======
slg
If the motivation is security than the effectiveness of the extra security is
questionable. Even if a system uses this type of error message to stop people
from testing for existing accounts the user signup or password reset pages
will almost always tell you if an particular username is being used.

------
aadarshbohara
Looking at security of a website, it has to be just the way it it. It should
not prompt whether or not username or password is incorrect..and if it does,
then it would be vulnerable. It prevents hacker to know about whether he has
got right username or not? If he knows that then he can tryout various
passwords using the username he guessed earlier.

------
bmelton
If I enter username_x and password_x as my parameters, and you say "the
username is right, but the password is wrong", than as an attacker, I've just
learned that a user account exists named username_x.

If I'm being malicious, this could give me better access to focus on password
cracking, since now I have a known-good account to work against. I might
design a system that just goes through a dictionary list of usernames until I
get a decent list of users, then loop through them with password attempts.

Let's say I'm not an attacker, but an overly curious friend, boy/girl-friend,
or employer of a particular user. If I try 'bmelton' as a username on, say,
Monster.com, and my employer gets as message saying "the username is right,
but the password is wrong", then my employer now knows that I'm a user on
Monster.com. That might not be the end of the world, and is easy to explain
away, but lets say the website is "hot_chicks_that_aren't_your_wife.com", and
your girlfriend finds you have an account on there.

This is potentially compounded if you're using email addresses as usernames,
since I could easily point to 'some other' Barry Melton[1] and say that
'bmelton' must be his account, but that's harder to pull off if it is my email
address.

In short, it's a security issue that also happens to be bad UX. Perhaps if
your website has no negative connotation (e.g., freekittensforcharity.com),
then it doesn't matter, but you're still slightly more vulnerable to password
attacks as I described in the first scenario.

[1] - <http://www.counterculture.net/thefish/>

~~~
webwielder
But as slg mentioned below, it's trivial to check if a username/email is
registered through the forgot password page. So some snooping significant
other can still find out if they really want to.

~~~
bmelton
The more secure systems I've been to don't acknowledge whether or not the
account exists. I've actually seen a message that said something like

"If an account exists for that email address, it will receive an email
shortly."

As I said (or meant to say) earlier, how anal you are has a little bit of
luxury dependent on the nature of the site. If it's a social network, it's
probably fine to show that usernames exist (unless their profiles are
specifically flagged to be private), as part of the site shows that their
usernames exist already. I could easily harvest usernames on HN here without
ever having to test against the password form.

If your site is of a more personal, sensitive, embarrassing or whatever other
situation you can concoct, then of course you'd want to adjust your
username/password strategies accordingly.

