User Login done right
January 11, 2012
Today I was involved in an estimation session when the issue of user login came up. I was reminded of how such a straightforward piece of functionality can actually be rather tricky to implement correctly. (An estimation session is where we look at a list of features and try to assign a relative complexity to each)
The humble user login – implemented in every single website on earth, but what is the right way? If you’re wondering what the hell I’m going on about, let’s look at a few examples. It’s pretty straightforward to figure out what should happen when I supply the correct username and password, but what should happen when I supply the incorrect credentials?
Let’s take a look at how a few popular sites handle this. First up, Gmail.
Here I used an e-mail address (username) that doesn’t exist. I get the exact same message when I use my actual e-mail address with an incorrect password.
If I do this a few times I get prompted to complete a captcha test.
Let’s contrast this with another site you might have heard of – Facebook.
That’s the message I get when I supply an e-mail address (username) that doesn’t exist. When I supply my actual e-mail address with an incorrect password, I get a different message.
As far as I can tell I can try a password as many times as I like – I never get prompted for a captcha or get my account locked.
What’s the difference?
What’s the difference between how these sites handle incorrect credentials? I never realized this until I attended a seminar on web security, but Facebook is actually doing something called ‘information leakage’. By telling you that your password is incorrect, Facebook is implicitly telling you that the username (e-mail address) you entered exists.
Think of it from the perspective of a hacker – to get access to someone’s account you would need to know both their username and password. If I wanted access to a host of Facebook accounts, I would simply guess a whole bunch of usernames and test them against the login system. Since Facebook would implicitly tell me which of those are real usernames, I could then try a list of the most common passwords against only the real usernames. Since the Facebook username is in fact an e-mail address I could also validate a whole list of e-mail addresses to be targeted for spam.
That’s why the message Gmail provides is actually quite clever – they don’t leak any information – they only tell me that the username and password combination doesn’t exist. Gmail doesn’t implicitly tell me anything else and I have no idea of knowing whether or not the username actually exists.
Is Facebook wrong and Gmail right?
In a word, no. While Facebook does leak information about usernames it does make the user experience a bit nicer – you never have to struggle to figure out whether or not you have the right username. While it does leave them vulnerable to certain attacks they probably felt that it was justified to be able to provide an easier user experience.
I don’t think there is necessarily a right way of doing this, but I do think it’s very important to understand what the different options imply.
Locking an account after a certain number of attempts
What you should really watch out for is locking an account after a certain number of attempts. For example, you may decide that if a user enters his/her password incorrectly 10 times you would lock their account. While this may seem like a good idea, if I know your username I can very easily lock your account. Again, you might think that this isn’t the worst thing – the user might simply need to reset their password using a linked e-mail account. However, if you combine this with information leakage it could potentially have very bad results for your website.
For example, let’s say Facebook decides that after 10 invalid password attempts a user’s account is locked and they are forced to reset their password. A hacker might use the fact that Facebook tells you which usernames are valid to build up a large database of valid usernames. Using the lockout facility a hacker could then lock the accounts of all these users on a single day.
Imagine 100 000 Facebook users get their accounts locked on a single day – not only might they lose some existing users and deter new users from joining, their reputation would take a massive hit. In the long term users might not feel comfortable supplying their credit card details on a site which had these kinds of issues in the past. All because of a simple login feature.
Conclusion
User login is a pretty straightforward piece of functionality, but it’s important that we understand the consequences of our different options. We might end up hurting our users by implementing features which are intended to help them.
Happy coding.
Tags: PatternsPractices, web
The secret question is the worst thing. You can have a very complicated password (sEd#@34ds!a) but a simple answer to the question. Commonly, the question is from a defined set of possible questions.
Q: What’s your favorite band?
A: Beatles
Now you can change the password =)
I couldn’t agree more. The secret question is simply a terrible idea. Especially if they force you to choose something simple (which you can usually find out by checking the person’s facebook/google+ profile)!
What you have to remember with the secret question answer is that it does not have to be a true answer. You can pick any of the questions, but the answer could be (sEd#@34ds!a).
@Chris sure, you could do that but that’s not its intended purpose and how many people will actually do that? The problem is that it’s promoting an insecure option.
I do have an idea for “locking”. How about incremental delays? After 3 failed attempts, you would have to wait 3 seconds before trying for the 4th time? And then 4 seconds before the 5th time? And so on…
It’s not extremely annoying for a user but really counter-productive for a brute-force attacker.
Yeah that might work, but I think in practice measures are very easy to avoid for a skilled hacker – for example if the request is coming in from a different IP every time you won’t be able to tell that a request is the ’2nd’ or ’3rd’ attempt. But this would effectively be the same approach as GMail is doing with captchas.
Facebook also locks the account when access to Facebook is gained from a different country to where you normally log in (I am not sure of their exact parameters here).
I was forced to change my password by FB because it had been logged into from some silly Eastern European country. So they have other security features in place…
I guess it depends on the sensitivity of the site you are logging in to (assuming people aren’t using the same password on multiple sites, which is a different issue!). If someone gained entry to your Facebook then it isn’t the end of the world, but on the other hand, if someone gained access to your gmail or internet banking then it could cause you a whole range of serious problems.
@Andy: I guess you’re right (although Facebook might be a bad example – for some users a hacked Facebook account could possibly have severe personal and possible financial consequences). In any case, the issue of using the same password on multiple sites nullifies that argument. I think we should always try to store our users’ information in the most secure possible manner – no matter what the business aim of our website.
Facebook does seem to lock your account after three attempts. I just tested that and got a captcha after the third.