开发者

Failed Validation Messages

Here is the question I have been posed:

"What is the best way to handle in valid credentials when logging into a site. Do we tell the user if their username was invalid? Or likewise if their password is invalid?"

I did some searching, but I'm having trouble finding a site with some best practices for this, to refer them to.

My Question for the community here: Does开发者_如何转开发 anyone here know a site that has some good guidelines/best practices for this?


Just say that their credentials were incorrect.

Telling them that one piece of information was correct means that you're helping hackers discover user names at the very least.

If I enter:

admin

Password1

for example and I get a response that the password was invalid I now know that there is a user called "admin" on you system. I can now just vary the password in an effort to gain access.

If the response was "invalid user name or password" then I'm no wiser about whether there is a user called "admin" or not.


The most authoritative discussion I can find on this issue is from the "Web Security Testing Cookbook," Recipe 12.8.

The book points out:

  1. You should provide a generic message indicating either the username or password was incorrect; revealing that just the username is correct allows attackers to enumerate valid usernames.
  2. Account lockout functionality, after X number of tries, also carries the same risk; attackers can lockout accounts to find out if the usernames were valid or not.

You can read the whole "recipe" via Google Books here: http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PA249&ots=cU7V62FQOA&dq=web%20security%20reveal%20valid%20username&pg=PA248#v=onepage&q=web%20security%20reveal%20valid%20username&f=false

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜