"Username does not exist" warning

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
"Username does not exist" warning
« on March 20th, 2012, 02:42 AM »
I'm not sure how I feel about this one.

Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.

But what should happen if the username is invalid?

SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.[1]

If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree.[2] All because you're telling them something about the data they have.

Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.

So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
 1. Oh, and did I mention, this isn't recorded anywhere either?
 2. The session level brute force detector will still catch it, but it's not like that's too hard to sidestep.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re:
« Reply #1, on March 20th, 2012, 08:08 AM »
Quote from Arantor on March 20th, 2012, 02:42 AM
But what should happen if the username is invalid?
In that specific case, I'd suggest simply re-display the log-in form ad infinitum. username the one of the two things a genuine user is less likely to forget than his password.

However, if a correct username is entered but an incorrect password is supplied (say) three times, then password recovery could be offered if further conditions are met:
  • The user is attempting to log-in from the same country from where he originally registered [1].
  • The email address supplied matches that recorded for the username
  • The user supplied the correct answers to (at least one) security question -- and I suggest that, upon registration, users must supply at least two security Q and As
  • The username, current IP address and email address pass the validation tests of a service such as Stop Spammer (and the same validation should also be performed on registration).
A user who forgets his username should really be made to re-register.

Having "lurked" for a while now, I think you'd be against making services such as Stop Spammer, Bad Behavio(u)r and Akismet part of the core but I do believe these should be standard plug-ins that are included by default and activated by their respective API keys.

Finally - and slightly related - please provide the option for the prospective member to choose the language used by reCaptcha. Google tries to be helpful by automatically using the language according to the country of access. Problem is that an English person accessing from Moscow won't necessarily understand the reCaptcha instructions.[2]

Mark
 1. but IP Addresses need not match since not everyone has a fixed IP Address)
 2. Yes, I know it says something like "Type-in the two words you see" but that's because we're used to seeing reCaptchas on a regular basis; many Forum users aren't.

godboko71

  • Fence accomplished!
  • Hello
  • Posts: 361
Re:
« Reply #2, on March 20th, 2012, 11:08 AM »
So it all depends on the website on which should be uses. I say keep the better user experience and have a security guide for those who want to shore things like that up.
Thank you,
Boko

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #3, on March 20th, 2012, 12:32 PM »
Quote
In that specific case, I'd suggest simply re-display the log-in form ad infinitum. username the one of the two things a genuine user is less likely to forget than his password.
Thing is, if you don't do that, you still have to be careful. If you do anything to give away the fact that the username exists vs that it doesn't, you are giving the miscreants a window, however small, into your data. If you keep displaying the log-in form ad infinitum, it isn't going to be hard for a miscreant to figure out what's a genuine username/email or not, it'll just take longer.

It's still a side issue in the fact that you don't know they're doing it: it's not recorded anywhere that an invalid username is used. I also know from experience that the number of times it happens is probably higher than you think.
Quote
However, if a correct username is entered but an incorrect password is supplied (say) three times, then password recovery could be offered if further conditions are met:
This already happens.
Quote
The username, current IP address and email address pass the validation tests of a service such as Stop Spammer (and the same validation should also be performed on registration).
I will not tie anything to Stop Spammer (which is ultimately Stop Forum Spam's database) out of the box, nor will I personally write a plugin for it. There are still way too many false positives in their database, though it has improved since the time when someone 'helpfully' decided to put my own details in there just to wind me up.
Quote
Having "lurked" for a while now, I think you'd be against making services such as Stop Spammer, Bad Behavio(u)r and Akismet part of the core but I do believe these should be standard plug-ins that are included by default and activated by their respective API keys.
Bad Behaviour is already part of the core, it has no API key. Stop Spammer I do not want in the core, neither do I want Akismet. Having used both extensively over time, I dislike the rather high number of false positives that both have. That said I will probably write an Akismet plugin to integrate with the moderation filters system (which means users have the flexibility to pass a post to Akismet and they can either moderate it or reject it outright to their heart's content)
Quote
Finally - and slightly related - please provide the option for the prospective member to choose the language used by reCaptcha.
I do not want reCaptcha to be part of the core. I don't like it, I find it unreliable.[1] That said, I already made a reCaptcha plugin, which pushes its own language strings into play meaning that you can configure the strings much as you would configure anything else (i.e. the language editor) and do so per language; if you only have English installed, you'll get English regardless of anything else.
 1. Apart from the fact that about 1 in 5 times, I'll get some mathematical equation as one of the two words, the methodology is a touch flawed: they actually allow one letter per word to be wrong and still accept it. Mind you, reCaptcha has been broken by bots more than once now.

Farjo

  • "a valuable asset to the community"
  • Posts: 492
Re:
« Reply #4, on March 20th, 2012, 08:38 PM »
It's a tricky question. The Daily Express / paranoid side of me thinks yes we should have this due to the risks and protection against those foreign hackfactories, whereas the more level headed real world admin in me knows we rarely get spammers or hackers so why make it inconvenient for the members.

I suppose you could make it an option so that, if in future we get bigger, draw more attention and get more hacking attempts, we can switch it on?

In the mean time I want to make clear I do not read the daily express.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #5, on March 20th, 2012, 08:42 PM »
To put it into context, arantor.org has been logging these requests for 15 months or so and even though there haven't been posts for months, I still see these requests daily, it's currently in the realm of 2-3 per day but it used to be dozens per day.

Also, I fully understand your opinion regarding the Daily Express ;) It reminds me of this T-shirt ;)

Farjo

  • "a valuable asset to the community"
  • Posts: 492
Re:
« Reply #6, on March 20th, 2012, 08:56 PM »
:lol: That site's quite funny - I also like the dinosaur one "Not so tough now are you".

Actually I'm amazed that we never get any spam - maybe two or three posts since we switched to SMF in September. I turned off the capture thing as we were getting 10s of new members a day. The reg page now asks the user to type a word in the box and, hey presto, hardly any false new members!!!

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #7, on March 20th, 2012, 08:57 PM »
Yeah, anti spam questions are awesome like that :)

Nao

  • Dadman with a boy
  • Posts: 16,079
Re:
« Reply #8, on March 20th, 2012, 09:08 PM »
Except for non English speakers ;)
I should really add support for a language BBC tag... Like on noisen.

Farjo

  • "a valuable asset to the community"
  • Posts: 492
Re:
« Reply #9, on March 20th, 2012, 09:16 PM »
The Daily Express side of me doesn't want non-English speakers thank you very much "...and we will build Jerusalem in England's green and pleasant land because the real Jerusalem has all those foreigners in it"[1]
 1. I really do not have these views and genuinely deplore them

MultiformeIngegno

  • Posts: 1,337
Re: \
« Reply #10, on March 23rd, 2012, 01:01 PM »
Interesting topic. I'd go for the "security side". If a user has troubles logging in he can always use the recovery feature!

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: \
« Reply #11, on March 23rd, 2012, 02:10 PM »
Quote from MultiformeIngegno on March 23rd, 2012, 01:01 PM
Interesting topic. I'd go for the "security side". If a user has troubles logging in he can always use the recovery feature!
Hey, interesting subject :P
I just discovered that any subjects with double quotes in them will get cut off at the first quote.
(Fixed, of course. Although I sure hope my fix will be scrutinized for security, too!)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #12, on March 23rd, 2012, 02:18 PM »
And this is why we htmlspecialchars the subject and never, ever un_htmlspecialchars it for any reason ;)

Nao

  • Dadman with a boy
  • Posts: 16,079
Re:
« Reply #13, on March 23rd, 2012, 02:24 PM »
Quote from Arantor on March 23rd, 2012, 02:18 PM
And this is why we htmlspecialchars the subject and never, ever un_htmlspecialchars it for any reason ;)
Only, we still use the addcslashes on double-quotes that's originally in SMF2.
So we get value="\"Something\"" which in turn some browsers will see as '' (empty), and others as \, but never as "Something".
So I got rid of the addcslashes.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #14, on March 23rd, 2012, 02:35 PM »
I don't recall SMF adding slashes there...