81

According to the OWASP Auth Guidelines, "An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account."

However, I have found that many popular web apps violate this guideline by showing a message that the account does not exist.

google

microsoft

slack

So what is going on here? Are Google, Microsoft, and Slack doing something insecure or is the OWASP Guideline useless?

chris
  • 103
  • 3
styfle
  • 928
  • 1
  • 6
  • 9
  • 7
    Note that all of these only ask for your authentication credentials (e.g. password) after you have entered the username. – user Apr 25 '17 at 12:48
  • 10
    Correct. It seems they are being kind to the user who mistypes their account to let them know immediately, but it clearly violates the OWASP Guideline. – styfle Apr 25 '17 at 12:56
  • 16
    Variations on this question have been asked many times. There is even a tag for [tag:user-enumeration] – Michael come lately Apr 25 '17 at 14:24
  • 4
    "Tell the user when their email doesn't exist" – David Sherret Apr 25 '17 at 15:31
  • In addition to the security/useability tradeoff there is also the point that everybody has an account at those services anyway. – eckes Apr 26 '17 at 00:27
  • 1
    As a user of many different online websites with many different usernames and email addresses, I certainly want to know if the username/email address I am attempting to use is recognised by your system, regardless of any password I may be entering. As a user struggling to login, it is crucial for me to know if it is my username or password which is wrong, otherwise I get frustrated. – ESR Apr 26 '17 at 04:01
  • 1
    also note that at least some of them (gmail) will store your email/username in plaintext cookie, so you (or whoever gets a hold of it) will not even need to bother to check - they will know by default exactly what your username is. – Matija Nalis Apr 26 '17 at 10:55
  • 1
    Not worth an answer, but I recommend reading this blog post from the mailchimp team. It's focused on the problems they found users experienced when logging in and how they tackled them. One of the points is about your very question. Generic vs specific error messages during login. TLDR: It costs users. They decided, just like the big players, that for them the extra security is not worth the loss in users it incurs. – Stijn de Witt Apr 26 '17 at 13:43
  • 3
    If you want to find out if an account exists, just try signing up with that username. – Jon Apr 26 '17 at 19:16
  • 1
    Note that the "team URL" on slack is not your username. After you select a slack server, you're prompted for your personal username/password pair. – CAD97 Apr 27 '17 at 03:26
  • With email providers you could just send an e-mail and wait for reply. If you get mail delivery error, it means that username is not registered. – el.pescado - нет войне Apr 27 '17 at 07:54
  • Note that they all provide 2FA. – miva2 Apr 27 '17 at 12:55

7 Answers7

117

This is a consideration between security and usability, and therefore there is not really a right answer here. So here follows my opinion.

If you can keep usernames secret, then do so. In this case there is no way to figure out whether a username exists, and the login reacts the same whether a user exists or not. Note that this also means taking the same amount of time to return an error message.

This behavior may not be possible. For example if users can register themselves and choose their own username, you have to notify them when a username already exists in the system. If this is the case, make the login as easy to use as possible by providing the most detailed error message. If someone can figure out whether a user exists using the registration function, there is no use in hiding this at the login.

Sjoerd
  • 30,589
  • 13
  • 80
  • 107
  • 41
    "If someone can figure out whether a user exists using the registration function, there is no use in hiding this at the login." - also you can do that by reset password feature, or from list of public profiles (Twitter), or by sending e-mail and possible getting "undeliverable message" error from mail server (Gmail) – user11153 Apr 25 '17 at 14:36
  • 28
    " If someone can figure out whether a user exists using the registration function, there is no use in hiding this at the login" - unless registration is gated by a captcha and login isn't. – John Dvorak Apr 25 '17 at 14:37
  • 26
    @JanDvorak Then that's a separate and rather serious issue with the login to begin with. If there isn't a way to limit login attempts, then you already have significantly more serious problems than just "figuring out usernames". – Nelson Apr 25 '17 at 15:40
  • Even if I just kinda assume my users have strong passwords, and make sure they actually do? I mean, the kind that takes forty billion years to guess, twice as long as KeePass normally generates and full of various ASCII? Let's say my rate limits guard me from dos attacks but not much else? – John Dvorak Apr 25 '17 at 15:50
  • 3
    @JanDvorak This is why most of those sites that do show you whether or not the account exists on login will start doing a captcha on login after a few failed attempts - so you get a couple tries where you might be able to harvest valid usernames, but after that are slowed by the captcha. – Grant Apr 25 '17 at 18:49
  • 6
    I'm accepting this answer because this line sums it up "If you can keep usernames secret, then do so". In some enterprise systems, the sign-up function is not available to the public so there are scenarios this is possible to follow OWASP. In the examples I gave above, those accounts could easily be found outside the login page. – styfle Apr 26 '17 at 13:26
  • @user11153, on systems where I make the login screen conceal whether the username was incorrect or just the password, I also make the reset password feature always say that it's sent an e-mail to the registered address, even if there is no registered address. I've never built systems which included mail servers, but I'm sure that in those cases it's possible to configure at least some mail servers to not give away whether usernames exist or not (in addition to greylisting to slow down enumeration attacks). – Peter Taylor Apr 27 '17 at 08:22
34

It's not the only OWASP guideline that is not followed by big players. OWASP often focuses on security and ignores usability. It can be a valid design choice if combined with a decent password policy, brute-force protection (lockout, captcha,..), MFA, monitoring failed login attempts, etc.

Take into account that user enumeration isn't just the problem of being able to guess user accounts which you can later brute-force for authentication. Some sites should protect the privacy of their users (adult, political parties, dating, ...). If I want to check if my boss is using an adult website I can misuse a user enumeration vulnerability to know what sites he is using.

Silver
  • 1,820
  • 1
  • 13
  • 23
  • 6
    +1 for the second paragraph which raises a very good point once you know someone's login – WoJ Sep 02 '17 at 05:58
  • "If I want to check if my boss is using an adult website I can misuse a user enumeration vulnerability to know what sites he is using." -

    If an attacker is targeting a specific individual, then a standard registration flow that confirms whether the account already exists or not is going to provide the same information, regardless of any lockout, captcha, etc.

     – Nicholas Nov 02 '23 at 21:53
  • That's why use enumeration is not limited to login. A sensitive website should prevent user enumeration everywhere.

    A well designed registration will not reveal this information. Often the registration simply responds with some success message and if the account already exists, the e-mail you receive states this. The web app user can't distinguish a new from an existing account but the e-mail owner obviously can.

     – Silver Nov 05 '23 at 11:21
14

You just can't prevent it. (Unless you're ready to sacrifice a significant amount of usability.)

User enumeration can be undesirable and there are indeed potential security implications (e.g. if an attacker finds out there is a valid account named admin which they might try to access). But for large sites it's something you can't stop from happening.

Even if you don't reveal during login that a user doesn't exist, you will eventually have to warn new users when they attempt to register an already taken name or with an already used e-mail address.

There is no user-friendly way around this:

Create your Google Account

Arminius
  • 44,770
  • 14
  • 145
  • 139
  • 2
    An already used e-mail address is surely not a problem if you just send an e-mail to the given address saying that someone has tried to set up an account, and whether there already is one for that address. But that won’t stop them finding out if the username is in use, though the e-mail would slow it down nicely. If you do not mind giving them random numeric suffixes to append to their names then they also cannot probe existing names. – PJTraill Apr 25 '17 at 16:46
  • 3
    It also depends on the service. On a Ashley Madison type portal you don't want to confirm if a email address is signed in or not. For a user name 'tom' this is less of a problem. – eckes Apr 26 '17 at 00:30
  • There is a way of stopping even the "create user" enumaration. You can allow duplicated usernames. i.e. enumerate users by some surrogate key and allow the same username to different users. And then cross-fingers that two users will not choose the same password :) . Quite a horrible solution, but possible. – grochmal Apr 26 '17 at 20:04
  • 1
    @grochmal That's why I said "no user-friendly way". My main point is that this issue shouldn't be a top priority for most applications. Allowing the enumeration of users and e-mail addresses in one way or another is accepted by all major platforms I know. – Arminius Apr 26 '17 at 20:13
  • 1
    @grochmal: That makes no sense at all. How are you going to send email to a person if someone else can acquire exactly the same email address? – user21820 Apr 27 '17 at 10:36
  • 2
    @user21820 - I did not mention emails at all. It is just usernames and user IDs. The user then can or can not add an email to which he can be contacted for password resets and similar stuff. I saw this implemented (and it was still horrible). – grochmal Apr 27 '17 at 13:00
  • 1
    @grochmal: Ah okay. I thought you were responding to the answer, which is about email, as was the question. Since you're not, I agree it is possible (though silly). – user21820 Apr 27 '17 at 14:11
  • ...or delay the error message as to the latest point possible in the signup process to make enumeration as awkward as possible ... not user friendly either... – rackandboneman Apr 27 '17 at 14:18
  • To be fair, it could be useful to have a dummy account named "admin", with no privileges whatsoever, so that the site can keep track of anyone who attempts to access it. – Justin Time - Reinstate Monica Apr 27 '17 at 16:29
  • you can do it by allowing them to go through the registration. then instead of receiving a confirmation email, the user receives an email saying they already have an account. it is not that user friendly, but you do get to warn them without revealing the account to others – symbiont Jun 22 '23 at 15:39
7

Safety is relative. It is slightly safer not to give out information about whether the account exists or not. But that doesn't mean that it is unsafe to give out that information. It is just less safe, and only very slightly so.

This is particularly true in the examples you give; there are other ways to find account names, so there is no gain in trying to hide whether or not the account exists.

As with any form of security by obscurity, hiding account names is a weak security control, and other controls are needed.

Ben Aveling
  • 276
  • 1
  • 8
3

I agree with @Silver's answer, but want to expand. Keep in mind the context; the OWASP guidelines are meant as rules of thumb for developers who are not security experts. If a software development company has team of top-talent security architects, then they don't need to follow the rules of thumb blindly so long as they understand the intention behind the rules and are mitigating the risks in other ways.

Analogy: you are supposed to change your car's oil every 3 months or 5,000 km, but car mechanics often push it longer when they know their driving habits have been good. And that's perfectly ok.

As for the specifics here, I am not an expert in user enumeration vulns, nor am I privy to why Google and Microsoft made the decisions they did, but I presume they have rate-limiting and black-listing in place to prevent large-scale user enumeration attacks, and have otherwise decided that the user convenience is worth the added risk.

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
1

It's probably too hard to say they violate the OWASP guideline, because for applications and service like Google, Microsoft, they need to be as much as possible "user compliant".

Moreover, they all have or offer 2FA protocols.

amonsec
  • 42
  • 4
0

The purpose of not disclosing the active user identifier is to prevent enumeration of a large number of the accounts.

Strictly speaking, you could protect against this by allowing duplicate accounts, but this is a terrible design and will lead you to all kinds of trouble.

Another way you can do this is to assign users an identifier - constructing one that is unused. But this is such a poor usability experience that it might not be worth it *.

The sensible way to mitigate the risk is to implement any anti-enumeration feature - for instance, a good quality captcha, to slow down any enumeration attempt. Then the design is reasonably safe.

The residual risk is then that you leave open the verification of one very high value account - for instance, barack.obama@gmail.com. Then you mitigate this risk by also implementing a control against password cracking attempts, etc.

* Salzer and Shroeder, The Protection of Information in Computer Systems, Section I.A.3)h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.

Douglas Held
  • 241
  • 1
  • 7