No! I cannot! I will not! You can't make me!!!!1!

[spudtater]

Excerpt from the assignment given as part of the "server-side programming" module:

If the username and password are not correct, open a window, displaying “The login failed!”. Also display whether username or password is incorrect.

To all non-programmers on my friends list: can you figure out why this would be a bad and wrong thing to do?   8^]

Comments

[original-aj.livejournal.com]

The Auditor, he say No!

That's a standard thing to check for when reviewing security on an IT system. They are naughty in my sight, and you can tell them so!

[figg.livejournal.com]

As a professional, that will be £300 for an answer.

[xenophanean.livejournal.com]

Tells the security hacker if he's got one thing right. Particularly bad if he's found a good password, as then he only needs to know all the usernames to gain access. As many passwords are kinda common, names, satan666 etc, not hard to do.

(not a programmer)

[spudtater.livejournal.com]

Bingo. Try a whole load of potential passwords, and end up with N valid ones. Then try a whole load of usernames, and end up with M valid ones. Then you only have to try NxM combinations of the two lists, with a fairly good probability of hitting a good combination.

Btw, somebody investigating myspace passwords found that the most common password was... wait for it... "password".   8^)

[markadm.livejournal.com]

Surely it is a good thing--it is not telling the Evil h4ck3r whether it is the username or the password which is wrong, or both.

[figg.livejournal.com]

It seems everyone else has read the sentence the other way, the it will be telling the malicious user which part they got wrong, rather than a general statement.

[markadm.livejournal.com]

I interpreted the meaning of this differently:
"Also display whether username or password is incorrect."

I realise now the whether means "which one is wrong", but it could mean display if the username is wrong, or if the password is wrong (i.e. which one is wrong does not matter).

[mr-purpleduck.livejournal.com]

... Also be careful of giving these those details away with the amount of time it takes to respond if the username or password is incorrect.

[spudtater.livejournal.com]

This is over t'internet, so I imagine this information will be lost in the noise anyway...

[mr-purpleduck.livejournal.com]

That really depends, the following issue in OpenSSH with PAM enabled, did just that. A valid user account would take longer to be rejected than a invalid one.

http://lab.mediaservice.net/advisory/2003-01-openssh.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

[zombywuf.livejournal.com]

Although this is often viewed as bad usernames are usually so widely exposed (email addresses, "the username is already taken", etc...) that it's not a huge risk. Of course if the system ever tells you you got the password right but not the username it's very bad and wrong. I think there was a dailwtf where the system showed an error if you signed up with the same password as someone else.

[spudtater.livejournal.com]

I interpreted the sentence as meaning "if the user has the correct password, but not username, then tell him so". But on re-reading I can see that it does leave itself open to other interpretations.

A system which says one of "username does not exist" or "password incorrect" (as I believe Livejournal will do) is fine, and in fact is what I'll probably actually implement for the assignment.