Basic question: Why dont login scripts tell you..



  • Hello

     I am senior in college with limited web-programming experiance. So, dont laugh if this seems too stupid a question.

     
    Ever since I started using the Internet 12 years ago, on almost every website with a Login script... whenever you enter incorrect details the script always says "Your username or password is invalid".

    Is it that hard to tell the user specifically which one of the 2 is invalid? Net savy users like us tend to have tons of accounts on various websites. Sometimes when I visit a website, I dont even remember if I have registered there. I think it would be really helpful if the Logic script actually told you which part was incorrect.

    I created a simple forum software in JSP for a course project which had this feature.

     

    Thanks.
     



  • Lazyness or security reasons. You probably don't want to tell an attacker that he guessed the login name right.



  • In a word "security", although it may well be undermined by a poor password recovery option anyway.



  • It's a pretty common security feature -- don't give away more information then necessary.  Unix login uses the same principle (at least on machines I've used). Telling the user which part was incorrect would certainly be just as helpful to malicious users as it would to legitimate users, don't you think?



  • in many systems it is easy to find out someone's login anyways.  I agree most of the time, although if it's a system where security is reasonably tight and usernames are hard to find then I understand the ambiguity.  also it's hard to tell someone if they have the right password and the wrong username.  if the username is wrong are you going to check the entire database for the correct password?  



  • [quote user="GizmoC"]

    Hello

     I am senior in college with limited web-programming experiance. So, dont laugh if this seems too stupid a question.

     
    Ever since I started using the Internet 12 years ago, on almost every website with a Login script... whenever you enter incorrect details the script always says "Your username or password is invalid".

    Is it that hard to tell the user specifically which one of the 2 is invalid? Net savy users like us tend to have tons of accounts on various websites. Sometimes when I visit a website, I dont even remember if I have registered there. I think it would be really helpful if the Logic script actually told you which part was incorrect.

    I created a simple forum software in JSP for a course project which had this feature.

     

    Thanks.
     

    [/quote]

     

    security reasons.... if you don't know any login names or passwords, you have to brute both of them(if you are bruting). if something tells you one is correct..... DHERPA DHER!!!!! (just check the other one).... it would be UBERTARDED to tell you if the just the username was wrong, because what if the password was actually wrong, and you accidentally typed someone else's password.... now you just gotta figure out which user it was!!!



  • But since most web programmers aren't so savvy as to  consiously use it as a security feature, yet still do it, it's usually just Security By Fortunate Laziness.



  • I don't really see how usefull it would be. There are only three possible outcomes.

    1. There is no user with the supplied user name.
    2. There is a user but the password doesn't match. The user entered the wrong pass or username.
    3. There is a user and the password matches, let the user in.

    I don't really see how much help differentiating between 1 and 2 would be.

    Chances are the sites that cause a problem have lots of users and all the popular user names have gone. Even if you enter the wrong username someone else will be using it so you end up at outcome 2 that doesn't really help. The app can't tell if you entered the password wrong or if you made a typo entering the user name that just happens to be someone elses user name. Telling the user that the password is wrong isn't going to help. They then won't check the user name which could be incorrect.

    If the site has few users chances are you will have got your user name and so log in without ever seeing 1.
     



  • [quote user="tster"] also it's hard to tell someone if they have the right password and the wrong username.  if the username is wrong are you going to check the entire database for the correct password?  
    [/quote]

    Ofcourse not.

    I was thinking something along the terms

    if getUsername(usernameTxtField) == null
           return "Your username does not exist"
    if getPassword(usernameTxtField) != passwordTxtField
        return "Your user name is correct. But your password is wrong"


    But anyways, I see the security angle now.



  • [quote user="stinch"]

    Chances are the sites that cause a problem have lots of users and all the popular user names have gone. Even if you enter the wrong username someone else will be using it so you end up at outcome 2 that doesn't really help.
     

    [/quote]

     

    Oh yea, didnt think of that. Thanks, it makes more sense now :) 



  • [quote user="GizmoC"]I was thinking something along the terms

    if getUsername(usernameTxtField) == null
           return "Your username does not exist"
    if getPassword(usernameTxtField) != passwordTxtField
        return "Your user name is correct. But your password is wrong"


    But anyways, I see the security angle now.

    [/quote]

    How do you know the user name is correct? All you know is that there is a user with that name in the db and the password doesn't match it. That is not the same as the user name being correct and the password being wrong. The user could have made a typo that happens to be someone elses usename. They may have several different usernames they use on different sites and entered the wrong one that someone else is using.
     



  • It is all about security. You don't want to let people know that they have found a valid username when the type something random into the box.

    That said, seeing as how password fields are usually hidden, I don't see why it can't tell you if you find an invalid password. Something along the lines of:

    "The password you entered is valid, but you have the wrong username, please try another."

    This is clearly the best solution.



  • [quote user="GizmoC"]

    Ever since I started using the Internet 12 years ago, on almost every website with a Login script... whenever you enter incorrect details the script always says "Your username or password is invalid".

    [/quote]

    It's for two reasons:  security and speed.  On some sites the usernames aren't public and it is an extra layer of security if those aren't revealed as well.

    For speed, it only takes one SQL query to check the username and password:

    SELECT *, "" AS password FROM users WHERE username = ? AND password = ? LIMIT 1;

    They could just search for the username, but I prefer to keep the password out of the hands of the client.  For the next version of my site it says the password was invalid because all of the usernames are public anyway.  90% of the reason is because everybody else does it and just producing one error allows for more time spent being lazy.



  • @Some Idiot said:

    That said, seeing as how password fields are usually hidden, I don't see why it can't tell you if you find an invalid password. Something along the lines of:

    "The password you entered is valid, but you have the wrong username, please try another."

    This is clearly the best solution.

    I think I will implement this to prove a point to my manager. He said "the login page says 'your username or password were not valid' and I think we need to change it." I tried to say "no," but he didn't understand. This illustration is perfect.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.