Username does not exist
Could not have said this better:
I’m not a security expert by any means, but I do know a little about it, so I often have a good idea of what makes a system more secure and what falsely makes you feel more secure. I heard a statement recently about security that I’m going to rail against for a bit, because I think it needs to be said, and because I’m annoyed by interfaces that have this attitude.
The argument is this: It is a security hazard to tell someone logging in to a service that they have entered an invalid username. The main argument I’ve heard for this is that it allows an attacker to, by process of elimination, determine a valid username, and eventually enumerate all the usernames.
First, who cares? Usernames are not supposed to be private. You don’t enter them into a text box and have asterisks show up (or, if you’re in a UNIX shell, have nothing show up). They’re there for the world to see. Often, that’s how they know you in this service. There’s no reason to try to protect this information from hackers, because they can easily get it elsewhere. The password is what’s supposed to be secure.
Second, as for enumerating all usernames, it would take the same amount of time to do that as it would to just guess all possible passwords for an account, and it’s as easily preventable with a three strikes policy or something similar.
This is part of my general attitude of dislike at being treated like a hacker when I’m trying to legitimately use services. Now, that’s not to say they shouldn’t prevent me from hacking in, and treat all my inputs with skepticism, but the interface shouldn’t assume I have malicious intent. There’s a forum that I read a lot that uses Dragonfly, and whenever I quickly click through a couple of things, if it’s a quick post or whatever, I get a giant banner that says “FLOOD PROTECTION” then below it, “You are not allowed to flood our system. You may try again in # seconds.” That just seems like bad UI. I’m not trying to flood the system, I’m just trying to read some frick’n posts! On DuckWeb, instead of telling you that your student ID was entered incorrectly, it says, “You are not authorized to use the DuckWeb Information System. For assistance, Faculty and Staff should contact the Office of Human Resources (346-3159) and Students should contact the Office of the Registrar (346-2935).” I mean, come on, I just mistyped one character, that I couldn’t see, because ID is now a password field. Now, I’ve seen that before, and know it just means that I have to try again, but the first time I saw it, I panicked a little. What did I do to get me kicked off of DuckWeb? This is not good UI. Not only that, but when you type in an incorrect PAC (Personal Access Code), it says invalid ID or PAC. So, the average user will not know that they have necessarily entered the wrong PAC, but the hacker will, because they give different messages. It’s the worst of both worlds!
Can anyone defend these practices?
