Jump to content

Username/Password check - does it matter which way?


Go to solution Solved by Jacques1,

Recommended Posts

By the way, in case you were considering it:

 

Don't indicate whether the username does not exist vs. it does and the password is wrong. It reveals information an attacker could use. Use the same error message for both - ideally a single check in code like

if (no matching row || password hash does not match) {

The slow hashing still allows a user to distinguish between the two cases: If the username is wrong, the application responds immediately, otherwise there will be a noticable delay due to the password check (e. g. one second).

 

This can be slightly improved by hashing a dummy password when the username is wrong, but there will still be subtle differences (timing, unique errors of particular execution paths etc.). Personally, I just use public usernames instead of trying to hide the accounts.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.