Detailed login error messages.

[JasonLewis]

Was having a discussion with a friend about logins, since I was developing mine to determine which of the credentials was incorrect to inform the user that they got the password wrong.

 

Is this security issue? My friend seemed to think so.

 

The way I thought of it is, they'll probably know your username anyway. Like people here will know what my username is from looking at my, well, username (although my display name was changed recently, mwhaha!). So telling them that they specifically got the password wrong if they logged in incorrectly with my username isn't going to mean anything, right? That's my thinking. I personally like seeing a more detailed message, as on various sites I go by jaysonic, or jaysonic1991 (if jaysonic is taken) and sometimes even jaysonic91 (I don't know why...). So when I login and it says "Your username or password was incorrect" I curse them silently because I don't know which! Since I also have a few various passwords this makes it somewhat annoying sometimes.

 

Long story short. Are detailed login error messages (specifically stating which credential was wrong) a security issue?

[cs.punk]

If your questioning now then I'd say your intelligent enough to have a 'secure' login system. In which case I'd say it isn't a security concern.

 

But lets say 20% of your user's have their password as 'password' or '123' or 'yoursitename'.

It would be of great help to a malicious bot making person, but it depends I guess. Just hunting the site for user names could be an much easier task.

 

If you enforce user's to choose strong and lengthy passwords and have login timeouts. Then what are you possibly risking?

 

Specially if it's something general like a forum.

 

So to answer the question: No, it is hardly a security concern.

[JasonLewis]

That's the thing: most websites offer some sort of members list so it's hardly difficult to obtain someones username. So you know for a fact you'd be getting it right, even if the error message kept saying "invalid username or password".

 

If anything I think providing a more detailed error message is helpful for the user who may be silly like me and have a small range of username/password combinations with slight differences.

[PFMaBiSmAd]

If you don't have "bad login attempt counting/login lockout" logic in your login code (i.e. you allow unlimited attempts), then yes, telling a bot script/hacker specifically first if the username doesn't exist, then if the password was wrong is a security problem.

[JasonLewis]

If you don't have "bad login attempt counting/login lockout" logic in your login code (i.e. you allow unlimited attempts), then yes, telling a bot script/hacker specifically first if the username doesn't exist, then if the password was wrong is a security problem.

 

Of course, a login spam filter should be consider for all logins. But still, usernames are publicly available? So they shouldn't be getting it wrong anyway, unless it's a bot script that is simply trying to brute force it's way through. But again the lockout will be applied if they try too many times.

[PFMaBiSmAd]

Only about 5% of the sites I log into have any sort of public member list that would provide username information and on those sites the harm of someone breaking into an account would not be monetary or provide access to personal information.

 

I'm pretty sure on all the rest of the sites it log into, my banking, investment, shopping, travel, API, ... username information is not (intentionally) published on or by the sites I use.

[JasonLewis]

No, I doubt the examples you listed would provide username/access code information publicly.

Okay, so then this depends on the circumstances that surround it.

 

I tested a few sites: Westpac (my bank), Forrst, GitHub, Flingbits, Facebook and this website.

The websites that said my password was incorrect were: Flingbits, Facebook and PHP Freaks.

 

All the others said that my login combination was incorrect or something to that effect.