"Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong?

  • Lets say a user is logging into a typical site, entering their username and password, and they mistype one of their inputs. I have noticed that most, if not all, sites show the same message (something along the lines of, "Invalid username or password") despite only one input being wrong.

    To me, it seems easy enough to notify the user of which input was wrong and this got me wondering why sites do not do it. So, is there a security reason for this or is it just something that has become the norm?

    For websites which offer a different way to see if a user exists, there is no security gain. They're just being annoying.

    Non security reason: If the database contains salted and hashed passwords, determining that the password matches an existing one would require hashing the password provided with every salt (1 per user, we hope) in the database.

    One totally non-security related reason is that it's possible the provider doesn't know which was wrong. E.g. if [email protected] mistypes his user name as [email protected] and there really is another user [email protected]

    @MarkBeadles ... the logon entity won't know if the username is valid? You might have to explain that one more...

    1. [email protected] mistypes id as "[email protected]" and types his (own) password correctly 2. A user BOB2 exists in the user store 3. logon entity thinks that BOB2 mistypes his password, when in reality BOB1 mistyped his username.

    I would agree that it is for security reasons. **I don't know any website where the username is supposed to be secret.** As an example: Google does the "Username and/or Password Invalid" thing but you can still find out if a username exists (by trying to register it).

    @JoãoPortela, but the creation screen is guarded by captcha. Thats the difference.

    Occam's Razor says: Programmers are lazy. :)

    @JoãoPortela not all systems allow you to self-register automatically.

    Because hackers can easily hack the accounts if they know any one thing correctly

    @user606723 fair point (I had forgotten about that). Still: your username is your email, which makes it very much public.

    @Affe yes, but you still see this behavior in systems with public usernames where the "it's for security" reasoning does not apply. As such there must be another reason... Maybe it's just because everyone else is doing it.

    Even if system allows to check if account exists in some other way, this would still slow down bruteforcing by amount of those requests.

    @JoãoPortela, consider this: If gmail allowed you to figure out if a userid exists without captcha, they'd allow spammers a way to harvest legit email accounts. And you're right, if there are cases where userid's are completely public, then it's likely by convention. Why should your website code not support both occurrences?

    @user606723 In the mean time I read ExpectoPatronum and similar ones and it makes a lot more sense. I just wasn't buying the whole: "after they know the username they just have to guess the password" thing.

    @user606723 In the case of Google, the captcha is there for signing up (like submitting the form), the validation is done via AJAX. You can see the URL, and the POST parameters, and the headers, so the hidden usernames are not the issue.

    @MarkBeadles The possibility of the user mistyping the username and submitting is extremely rare. Divide it by a billion and get the possibility of the mistyped username matching the one of another user. However, when the user base is huge (like Google's or Yahoo's) the possibility of this happening is higher. But even then, when bob1 mistypes bob2, without knowing he's actually bob1, the site could say "Password invalid for bob2" and the user will get the problem.

    Some sites will tell you if the email address you've given already exists in their system when registering (sometimes pointing you towards the password reset function). Can anyone shed some light on how this isn't giving a malicious user another way to discover valid usernames? (I'm not talking about informative JavaScript prompts, etc. solely here)

    Just adding more to the fire: facebook actually tells you when the username does not exist. :)

    So does Microsoft: "*That Microsoft account doesn't exist. Enter a different email address or get a new account.*" / "*That password is incorrect. Be sure you're using the password for your Microsoft account.*"

  • user10211

    user10211 Correct answer

    9 years ago

    If a malicious user starts attacking a website by guessing common username/password combinations like admin/admin, the attacker would know that the username is valid is it returns a message of "Password invalid" instead of "Username or password invalid".

    If an attacker knows the username is valid, he could concentrate his efforts on that particular account using techniques like SQL injections or bruteforcing the password.

    Doesn't this assume that figuring out the username by other means is as difficult as guessing the password? As @CodesInChaos points out, if you can validate the username by other means, it's really pointless to obfuscate it in this one interface.

    @kojiro Yes, it does assume that. But, that is not a bad assumption.

    @kojiro: I think it's not uncommon that accounts that can be used to administer the website are not published in any publicly viewable username list.

    @schroeder I disagree, for most widely known websites (gmail, facebook, twitter...) the username is very much public.

    Wouldn't it make sense for a website to state that every possible userid is valid and offer a made-up recovery email address as well? Would this help thwart malicious behavior by making hackers wast time on userids that in fact actually don't exist and have no passwords to crack?

    @lazfish but then you could just show the usual "username or password wrong" message and call it a day, it's pretty much the same.

    @lazfish, no, because any intelligent user would be able to tell thats a fake message. I agree with Mahn.

    It would be effectively the same thing but it would work in environments with validation on each item as well.

    @JoãoPortela I did not say that it is a valid assumption for all cases, I said that it is not a bad assumption. Of course some sites have very public usernames, and in that case, if you know a valid username, all you need to do is to guess the password, but as a general case for a designer, it is better to assume that the username is not known.

    He can just attack the sign up page, silly.

    Just view it in another perspective, let's say the hacker is bruteforcing only the passwords as there are people who have pretty weak passwords. He would find a valid password, the system has for example 1000 users, he writes a simple script to scrap the usernames from the website and then he just have to try all the usernames, which is 1000 attempts in this case. This method is faster as the attacker is using the *easiest* password.

    Malicious user can find out if the username is taken as part of registration.. you would not allow two users to register with the same username. Therefore, obscuring the login failure message is meaningless.

    @Gajus not all websites give registration forms. In some SaaS websites admin needs to add users.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM