HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Sign-In Security

ShadowdareShadowdare Moderator
edited May 2014 in Vanilla 2.0 - 2.8

While developing a user system for a website, I researched good practices for security and privacy in user system implementations. One website that has interesting information about passwords is GRC, which is ran by Security Now host Steve Gibson.

Another interesting website I found had an article titled "Salted Password Hashing - Doing it Right" with interesting tips and links to source code in different programming languages on GitHub. I used their provided C# code for implementing the PBKDF2 cryptographic hash algorithm in an ASP.NET MVC project recently.

Anyway, what I would like to discuss is about one point that seems outstanding, yet simple, from the article:

In step 4, never tell the user if it was the username or password they got wrong. Always display a generic message like "Invalid username or password." This prevents attackers from enumerating valid usernames without knowing their passwords.

In Vanilla 2.1, the sign-in form would return "sorry, no account could be found related to the email/username you entered" for non-existing usernames, which is alright, but it shows "the password you entered was incorrect" for existing usernames with non-matching passwords, which is good to have in terms of user-friendliness. Displaying a more generic message like the one quoted above seems to be better for deterring attackers and brute-force scripts.

Should Vanilla's error message be changed to display a more generic message? While on this topic, are there any other security concerns with Vanilla you might have?

Add Pages to Vanilla with the Basic Pages app

Comments

  • LincLinc Detroit Admin
    edited May 2014

    We did previously use a more generic message and the bottom line is it's a terrible user experience. The ability to detect whether a particular email or username is in use on a forum seems very difficult to exploit, not least because we employ flood control to stop bots from attempting user/pass combos any quicker than a human could.

    Security is always a balancing act between what is best for security and what is best for the user experience. In this case, I think a useful error far outweighs the danger of tipping your hand whether an account is in use.

    Shadowdarehgtonight
Sign In or Register to comment.