I'm not sure how I feel about this one.
Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.
But what should happen if the username is invalid?
SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.[1]
If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree.[2] All because you're telling them something about the data they have.
Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.
So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.
But what should happen if the username is invalid?
SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.[1]
If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree.[2] All because you're telling them something about the data they have.
Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.
So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
1. | Oh, and did I mention, this isn't recorded anywhere either? |
2. | The session level brute force detector will still catch it, but it's not like that's too hard to sidestep. |